Solved: Why doesn't the splunk clean kvstore command give ...

danielbb · ‎01-23-2020

Based on Why does the tSessions_Lookup_Update report take a long time to complete?

I ran the following commands -

splunk clean kvstore -app splunk_app_windows_infrastructure -collection tSessions_collection
splunk clean kvstore -app splunk_app_windows_infrastructure -collection tSessions_Lookup_Update
splunk clean kvstore -app splunk_app_windows_infrastructure -collection tSessions_collecti

All the names are probably wrong as the name appears to be tSessions. What bothers me is the fact that running the command, doesn't produce any output. Why is it? Are there any other commands to administer the kvstore lookups?

13tsavage · ‎01-24-2020

The clean command does not give much feedback because it is intended to clean up a component of a Splunk installation (eventdata, user data, global data, etc). There are other administrative CLI commands that give more detailed feedback to the user like the show command.

The clean command does respond with a confirmation prompt to allows the person executing the command to think twice about what it is about to do. This can be skipped by adding a -f flag at the end of the command.

View solution in original post

13tsavage · ‎01-24-2020

The clean command does not give much feedback because it is intended to clean up a component of a Splunk installation (eventdata, user data, global data, etc). There are other administrative CLI commands that give more detailed feedback to the user like the show command.

The clean command does respond with a confirmation prompt to allows the person executing the command to think twice about what it is about to do. This can be skipped by adding a -f flag at the end of the command.

13tsavage · ‎01-24-2020

I believe the clean command does not give much feedback because it is intended to clean up a component of a Splunk installation (eventdata, user data, global data, etc). There are other administrative CLI commands that give more detailed feedback to the user like the show command.

The clean command does respond with a confirmation prompt to allows the person executing the command to think twice about what it is about to do. This can be skipped by adding a -f flag at the end of the command.

danielbb · ‎01-24-2020

Ok, do you how we can use show command to see the available kvstore lookups?

13tsavage · ‎01-24-2020

Not sure how to use the show command specifically to view kvstore lookups.

You could use ./bin/splunk btool transforms list --debug and add an --app= but this will print out all the transforms for that specific app (including all defaults). So it would look like this:
./bin/splunk btool --app=splunk_app_windows_infrastructure transforms list --debug

danielbb · ‎01-24-2020

Nice. Running ./splunk btool --app=splunk_app_windows_infrastructure transforms list --debug | grep -i tsession shows -

$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/transforms.conf [tSessions]
$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/transforms.conf collection = tSessions_collection

It doesn't show the size, but we can see the size via the MC...

Why doesn't the splunk clean kvstore command give any feedback?

kvstore

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?