Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How does one safely merge a KV store?

PirateJokes
Engager
‎04-05-2020 11:25 PM

We migrated Splunk ES from an old windows server to a new Linux server. Everything is good to go except we want to copy the old data from the incident_review kv store. It seemed simple to

|inputlookup incident_review

on the old search head and download that to a .csv (old_kv.csv), which could be uploaded to the new search head where

|inputlookup oldkv.csv | outplutlookup incidentreview append=t

would merge the old data into the new kvstore. Seems pretty straight forward, but I don't know how the notables index is joined to the incident_review kv store in ES. Does anyone know if this would work?

0 Karma
Reply