Knowledge Management

Splunk SDK for Python: What is the best way to update a KV Store and add potential records if there is no key match?

goodsellt
Contributor

Hello!

I'm looking into using the Python SDK's KV store module to do some updating of a KV store. I've noticed that the insert & update functions are separate, leading me to asking this: How should I best go about updating a KV store and adding any potential records if there is no key match? Does the 'update' function create a new record if a key does not match, or would it return some kind of ValueError or something similar I can do a try/except loop for?

Also are there any examples or guides out there for this functionality (apart from the reference manual which I've found)? I'd just like to see it in action so I can verify some other questions I had, such as should my "data" document string be the same JSON as I would put in the REST POST method?

Thanks!

0 Karma
1 Solution

goodsellt
Contributor

Old answer incorrect, here is corrected version:

If the record/key does not appear when you do a .data.update, the REST endpoint will return a HTTP 404 -- Object not found error.

What I've done to solve this problem is catch that exception inside of my python script, and then have an alternative version of the object send (with the _key in the document instead of an argument to the call) using .data.insert.

You're also able to use .data.batch_save with a properly parsed list of json documents which invalidates the need for the above.

View solution in original post

0 Karma

goodsellt
Contributor

Old answer incorrect, here is corrected version:

If the record/key does not appear when you do a .data.update, the REST endpoint will return a HTTP 404 -- Object not found error.

What I've done to solve this problem is catch that exception inside of my python script, and then have an alternative version of the object send (with the _key in the document instead of an argument to the call) using .data.insert.

You're also able to use .data.batch_save with a properly parsed list of json documents which invalidates the need for the above.

0 Karma

goodsellt
Contributor

I've found the update function will automatically upsert as long as I'm passing a key to it.

0 Karma

goodsellt
Contributor

This answer is incorrect. My testing was not valid.

0 Karma

organus
Explorer

This wouldn't work for me.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...