Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Accessing KV Store with Python - collection.data.query()

BernardEAI
Communicator
‎07-27-2021 01:14 AM
I'm trying to delete specific items from our kv store by using a python custom command. I retrieve the kv store with the following command:
 
collection = self.service.kvstore[collection_name]
 
I then retrieve all the entries in the kv store with:
 
data_list = collection.data.query()
 
This works correctly, however only 50000 of the entries are returned. Is there a parameter I can pass to query() to remove the limit of 50000?
 
Thanks!
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-27-2021 02:15 AM

Hi @BernardEAI 

limits.conf having 50k limit by default for [kvstore],  I guess you shall change that in conf can not be passed  in query as platform itself limiting it.

max_rows_per_query = <unsigned integer>
* The maximum number of rows that will be returned for a single query to
  a collection.
* If the query returns more rows than the specified value, then returned
  result set will contain the number of rows specified in this value.
* Default: 50000

 --

An upvote would  be appreciated and Accept solution if this reply helps!

View solution in original post

Reply
Solved! Jump to solution

BernardEAI
Communicator
‎07-27-2021 03:13 AM

Thanks @venkatasri 

On our DEV server this would be easy to solve,  I could change the max_rows_per_query parameter in limits.conf.

On our production environment, we are tenants on a multi-tenant platform, so we do not have access to the configuration files.

The approach I took here is to make use of the skip parameter that is available in the query function. I can then have a loop that runs through the entire kv store by incrementing the skip parameter:

           while end == False:

                data_list = collection.data.query(skip=skip_tracker)

                if len(data_list) != 0:
                
                    for item in data_list:
                        # perform action on entry in kv store (delete, update etc.)

                    skip_tracker += 50000

                else:
                    end = True

 More details on the query function here:

https://github.com/splunk/splunk-sdk-python/blob/13f07cd08f8b2017c1cdafc2fbc75673013dc713/splunklib/... 

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-27-2021 02:15 AM

Hi @BernardEAI 

limits.conf having 50k limit by default for [kvstore],  I guess you shall change that in conf can not be passed  in query as platform itself limiting it.

max_rows_per_query = <unsigned integer>
* The maximum number of rows that will be returned for a single query to
  a collection.
* If the query returns more rows than the specified value, then returned
  result set will contain the number of rows specified in this value.
* Default: 50000

 --

An upvote would  be appreciated and Accept solution if this reply helps!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...