Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: How to delete data from a KVStore based on som...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to delete data from a KVStore based on some criteria
How can I delete data from a KV store based on some criteria, for instance, to delete the aged data based on a timestamp field?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also delete data from KVstore using REST API
Please look at this doc.
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZG
Delete the record with the key ID " 5410be5441ba15298e4624d1":
curl -k -u admin:changeme -X DELETE \
https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll/5410be5441...
if you don't have permissions to the box - then use the Rest command in UI
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PowerPacked If you're still alive on this forum i'd really appreciate if you could elaborate on
if you don't have permissions to the box - then use the Rest command in UI
I'm trying to figure out exactly how to delete a specific key from KV Store via UI. If you have any sample code or links or anything that could push me in the righ direction then please share 🙂
Regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunkrocks2014, perform inputlookup on KV Store, then apply search filter to get data only falling in the recent required time. Finally perform outputlookup to the same KV Store to keep only required results.
You can then save the search as Scheduled Report to perform this on a regular basis.
If you can not figure out the query and need further help from the community members, you can add further details like KV Store name, and name of the fields along with sample data. Also what is the criteria for Date Range to drop events from KV Store? Is you timestamp field String Date or Epoch Date?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was thinking the way you described, but it doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inputlookup and search should work. May I know if the issue is with outputlookup? Are you seeing any error in Job Inspector/Splunk _internal logs?
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
