Solved: How to add a single inline insert to kv store?

bjoernjensen · ‎06-18-2015

Hi,

having several hundreds of searches scheduled. Depending on the result each search might have to insert (also) an entry into the kv store: all into one collection. (Im)Possible ways I am aware of:

REST
using POST on this endpoint: /storage/collections/data/mycollection could work, but since the rest search command will be one late part of each search, the rest command would not be the first search command. Therefore this approach does not work.
Another REST-thought was: I could try to embed the search within the rest search command syntactically, but this feels pretty bad in terms of maintenance.

outputlookup
with this approach I have to read the whole content of the collection, add one line, and then write it all back. This approach teems of non-scalability

Anyone?

bjoernjensen · ‎06-18-2015

Missed the most obvious approach: ... | outputlookup append=true mycollection_defintion | ....

View solution in original post

bjoernjensen · ‎06-18-2015

Missed the most obvious approach: ... | outputlookup append=true mycollection_defintion | ....

How to add a single inline insert to kv store?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases