Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

KV Store Update Multiple Records

kdroddy
Explorer
‎04-29-2020 06:14 PM

Quick question about KV store - wondering what the best way to update multiple records at once via search may be?

Example - let's say I have the most recent logon for users for the past week:

user1 - last_logon_time
user2 - last_logon_time
etc....

I would like to query last_logon_time for all users for the past day, then update the KV store with the most recent info. The goal would be to set this up as a schedule search running daily to keep the KV store updated.

Any thoughts?

Labels (1)
Labels
0 Karma
Reply

sciencenfaith
Engager
‎09-03-2020 02:26 PM

If I understood the question correctly, it seems very similar to updating a KV Store as described in https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/uselookupswithkvstore/, but with multiple entries at once. So, instead of: 

 

| inputlookup csvcoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True

 

try something like: 

 

| inputlookup csvcoll_lookup | where _key IN("544948df3ec32d7a4c1d9755","544948df3ec32d7a4c1d9756","544948df3ec32d7a4c1d9757") | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True

 

 

The critical difference is "| where _key IN" to list the keys you want to manipulate instead of searching for a single one.  

 

 

EDIT: sorry, I replied to the reply instead of the OP. Removed original and posted correctly.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 10:18 PM

@kdroddy

Can you please share your existing sample search/ code for updating KVStore and the sample KVstore fields?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...