How does one safely merge a KV store?

Splunk Enterprise Security

Highlighted

We migrated Splunk ES from an old windows server to a new Linux server. Everything is good to go except we want to copy the old data from the incident_review kv store. It seemed simple to

|inputlookup incident_review

on the old search head and download that to a .csv (old_kv.csv), which could be uploaded to the new search head where

|inputlookup oldkv.csv | outplutlookup incidentreview append=t

would merge the old data into the new kvstore. Seems pretty straight forward, but I don't know how the notables index is joined to the incident_review kv store in ES. Does anyone know if this would work?

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.

How does one safely merge a KV store?

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.

Share your experience in our Career Survey Now!

Share your experience in our
Career Survey Now!