Solved: How to add a single inline insert to kv store?

bjoernjensen · ‎06-18-2015

Hi,

having several hundreds of searches scheduled. Depending on the result each search might have to insert (also) an entry into the kv store: all into one collection. (Im)Possible ways I am aware of:

REST
using POST on this endpoint: /storage/collections/data/mycollection could work, but since the rest search command will be one late part of each search, the rest command would not be the first search command. Therefore this approach does not work.
Another REST-thought was: I could try to embed the search within the rest search command syntactically, but this feels pretty bad in terms of maintenance.

outputlookup
with this approach I have to read the whole content of the collection, add one line, and then write it all back. This approach teems of non-scalability

Anyone?

bjoernjensen · ‎06-18-2015

Missed the most obvious approach: ... | outputlookup append=true mycollection_defintion | ....

View solution in original post

bjoernjensen · ‎06-18-2015

Missed the most obvious approach: ... | outputlookup append=true mycollection_defintion | ....

How to add a single inline insert to kv store?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies