Hello,
The question is pretty simple, is there any way to query a KVstore to be able to find the last time that KVstore was updated?
I know how to do what for an Index but the query doesn't work for KVstores 😞
Thank you
While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times. There are no magic fields in collections, although it would be nice if there were.
You may want to consider adding a timestamp to your collections.
What exactly are you looking for?
Each "row" in a KVStore collection can be updated individually so there is no one "update time" for a KVStore.
Basically we had a few scripts that were being ran via cronjobs and those scripts would update the KVstores periodically.
But at some point in time some scripts stopped working and I wanted to know if there was any way possible to check in Splunk when a KVstore was last updated.
Is there any way to check when a row was added/edited to a KVstore? Through querying the _key for example.
AFAIK, entries in KVStores are not timestamped until you explicitly put a timestamp field in them.
Perhaps there's something in the data stored in the collection that might hint at how current it is?
I thought there would be a way to query each row using the _key field or query the whole KVstore to find out when a certain row was added or edited by maybe using a hidden system field like _time for example.
Unfortunately other than that there is no real way for me to find out or have an accurate estimation of when certain rows were added or edited inside the KVstores 😞
While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times. There are no magic fields in collections, although it would be nice if there were.
You may want to consider adding a timestamp to your collections.