Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How does one safely merge a KV store?

PirateJokes
Engager
โ€Ž04-05-2020 11:25 PM

We migrated Splunk ES from an old windows server to a new Linux server. Everything is good to go except we want to copy the old data from the incident_review kv store. It seemed simple to

|inputlookup incident_review

on the old search head and download that to a .csv (old_kv.csv), which could be uploaded to the new search head where

|inputlookup old_kv.csv | outplutlookup incident_review append=t

would merge the old data into the new kvstore. Seems pretty straight forward, but I don't know how the notables index is joined to the incident_review kv store in ES. Does anyone know if this would work?

0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!