Solved: How to add a single inline insert to kv store?

bjoernjensen · ‎06-18-2015

Hi,

having several hundreds of searches scheduled. Depending on the result each search might have to insert (also) an entry into the kv store: all into one collection. (Im)Possible ways I am aware of:

REST
using POST on this endpoint: /storage/collections/data/mycollection could work, but since the rest search command will be one late part of each search, the rest command would not be the first search command. Therefore this approach does not work.
Another REST-thought was: I could try to embed the search within the rest search command syntactically, but this feels pretty bad in terms of maintenance.

outputlookup
with this approach I have to read the whole content of the collection, add one line, and then write it all back. This approach teems of non-scalability

Anyone?

bjoernjensen · ‎06-18-2015

Missed the most obvious approach: ... | outputlookup append=true mycollection_defintion | ....

View solution in original post

bjoernjensen · ‎06-18-2015

Missed the most obvious approach: ... | outputlookup append=true mycollection_defintion | ....

How to add a single inline insert to kv store?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?