Knowledge Management

Why doesn't the splunk clean kvstore command give any feedback?

danielbb
Motivator

Based on Why does the tSessions_Lookup_Update report take a long time to complete?

I ran the following commands -

splunk clean kvstore -app splunk_app_windows_infrastructure -collection tSessions_collection
splunk clean kvstore -app splunk_app_windows_infrastructure -collection tSessions_Lookup_Update
splunk clean kvstore -app splunk_app_windows_infrastructure -collection tSessions_collecti

All the names are probably wrong as the name appears to be tSessions. What bothers me is the fact that running the command, doesn't produce any output. Why is it? Are there any other commands to administer the kvstore lookups?

Labels (1)
Tags (1)
0 Karma
1 Solution

13tsavage
Communicator

The clean command does not give much feedback because it is intended to clean up a component of a Splunk installation (eventdata, user data, global data, etc). There are other administrative CLI commands that give more detailed feedback to the user like the show command.

The clean command does respond with a confirmation prompt to allows the person executing the command to think twice about what it is about to do. This can be skipped by adding a -f flag at the end of the command.

View solution in original post

0 Karma

13tsavage
Communicator

The clean command does not give much feedback because it is intended to clean up a component of a Splunk installation (eventdata, user data, global data, etc). There are other administrative CLI commands that give more detailed feedback to the user like the show command.

The clean command does respond with a confirmation prompt to allows the person executing the command to think twice about what it is about to do. This can be skipped by adding a -f flag at the end of the command.

0 Karma

13tsavage
Communicator

I believe the clean command does not give much feedback because it is intended to clean up a component of a Splunk installation (eventdata, user data, global data, etc). There are other administrative CLI commands that give more detailed feedback to the user like the show command.

The clean command does respond with a confirmation prompt to allows the person executing the command to think twice about what it is about to do. This can be skipped by adding a -f flag at the end of the command.

danielbb
Motivator

Ok, do you how we can use show command to see the available kvstore lookups?

0 Karma

13tsavage
Communicator

Not sure how to use the show command specifically to view kvstore lookups.

You could use ./bin/splunk btool transforms list --debug and add an --app= but this will print out all the transforms for that specific app (including all defaults). So it would look like this:
./bin/splunk btool --app=splunk_app_windows_infrastructure transforms list --debug

danielbb
Motivator

Nice. Running ./splunk btool --app=splunk_app_windows_infrastructure transforms list --debug | grep -i tsession shows -

$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/transforms.conf [tSessions]
$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/transforms.conf collection = tSessions_collection

It doesn't show the size, but we can see the size via the MC...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...