Splunk Dev

How to create a KVStore using Python SDK w/ SPL commands?

yurippe
Explorer

Hello,
I am trying to create a kvstore that I can use in a | inputlookup and / or | lookup SPL command. I can create a KVStore using the python SDK, but it can not be used with the above commands.
(I have tried many things and variations in the create command, but this is what I assume to be the most correct:)

>>> splunk.kvstore.create(name="testkvstore", **{"sharing": "global"})
{'status': 201, ...}
>>> splunk.kvstore["testkvstore"].data.app
'system'
>>> splunk.kvstore["testkvstore"].data.sharing
'system'
>>> splunk.kvstore["testkvstore"].data.owner
'nobody'

>>> splunk.kvstore["testkvstore"].data.insert(json.dumps({"_key": "test", "value": "result"}))
{'_key': 'test'}

Yet I cannot find it with inputlookup nor lookup. This does not work in splunk cloud nor local instance

Labels (3)
0 Karma
1 Solution

starcher
Influencer

Did you create a transforms stanza to reference the kvstore collection?

View solution in original post

starcher
Influencer

Did you create a transforms stanza to reference the kvstore collection?

yurippe
Explorer

No, any tips on how I would do this via the RESP API ?

0 Karma

yurippe
Explorer

I figured it out, thank you very much
Here is enough code to be able to figure it out for anyone else who might stumble upon this:

kv = splunk.kvstore
kv.create(name="kvtestcollection", fields={"_key": "string", "name": "string"}, owner="nobody", sharing="system")
kv["kvtestcollection"].data.insert(json.dumps({"_key": "hello", "name": "world"}))
#kv["kvtestcollection"].delete()
transforms = splunk.confs["transforms"]
transforms.create(name="kvtestcollection_lookup", **{"external_type": "kvstore", "collection": "kvtestcollection", "fields_list": "_key, name", "owner": "nobody"})
#transforms["kvtestcollection_lookup"].delete()
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...