Splunk Enterprise Security

How does one safely merge a KV store?


We migrated Splunk ES from an old windows server to a new Linux server. Everything is good to go except we want to copy the old data from the incident_review kv store. It seemed simple to

|inputlookup incident_review

on the old search head and download that to a .csv (old_kv.csv), which could be uploaded to the new search head where

|inputlookup oldkv.csv | outplutlookup incidentreview append=t

would merge the old data into the new kvstore. Seems pretty straight forward, but I don't know how the notables index is joined to the incident_review kv store in ES. Does anyone know if this would work?

0 Karma