Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Deleting Data from KV Store

newbie2tech
Communicator
‎02-26-2020 02:34 AM

Hi Team,

We have a kvstore with about ~95 million events dating back to 3 years.

Key of the kvstore is unique numeric field. We also have timestamp among other fields.

We have requirement to only retain only 1 year worth of data.

I would like to know what would be the best way to get rid of old data.

Also is there a way to specify to drop any data which is older than 1 year going forward like index retention time.

We have clustered sh and indexer environment.

We are at Splunk version 6.11

Thank you!

0 Karma
Reply

darrenfuller
Contributor
‎02-26-2020 10:52 AM

Hi newbie2tech,

You need to create a mongo formatted query (since kvstore is a mongodb at its core, albeit a modified mongodb, so you can't just point a mongodb tool at it to manage it.)

Like so, if you have a query to look at your kvstore like so: 

 |inputlookup my_kv_store where LastUpdateTime<1551139200

in Mongodb query format that would look like so: 

 {"LastUpdateTime": {"$lt": 1551139200}}

Next, you need to take that and url encode it, using a tool like: http://meyerweb.com/eric/tools/dencoder/ which turns this: 

{"LastUpdateTime": {"$lt": 1551139200}}

Into this: 

%7B%22LastUpdateTime%22%3A%20%7B%22%24lt%22%3A%201551139200%7D%7D

Lastly, run the following from a command line that supports curl, and can access your Splunk search head: 

curl -k -u admin:changeme -X DELETE https://splunkhost:8089/servicesNS/nobody/<appname_where_kvstore_is_defined>/storage/collections/dat...

Making sure you replace the and placeholders with the actual values relevant to your environment and pasting your mongo query after the query= point in the command.

Last point, measure twice, cut once.. Maybe create a test kvstore, put some dummy data in it and test this before you run it against your 3 years kvstore data and accidentally blow it all away. A backup of the kvstore might also be in order before this. (Call me paranoid).

Good luck.
Darren

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...