Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find KVstore last update date?

splunk_enjoyer1
Explorer
‎01-02-2023 09:15 AM

Hello,

The question is pretty simple, is there any way to query a KVstore to be able to find the last time that KVstore was updated?

I know how to do what for an Index but the query doesn't work for KVstores 😞

Thank you

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2023 02:03 PM

While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times.  There are no magic fields in collections, although it would be nice if there were.

You may want to consider adding a timestamp to your collections.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-02-2023 01:55 PM

What exactly are you looking for?

Each "row" in a KVStore collection can be updated individually so there is no one "update time" for a KVStore.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk_enjoyer1
Explorer
‎01-02-2023 03:01 PM

Basically we had a few scripts that were being ran via cronjobs and those scripts would update the KVstores periodically.

But at some point in time some scripts stopped working and I wanted to know if there was any way possible to check in Splunk when a KVstore was last updated.

Is there any way to check when a row was added/edited to a KVstore? Through querying the _key for example.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-02-2023 05:16 PM

AFAIK,  entries in KVStores are not timestamped until you explicitly put a timestamp field in them.

Perhaps there's something in the data stored in the collection that might hint at how current it is?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk_enjoyer1
Explorer
‎01-03-2023 11:47 AM

I thought there would be a way to query each row using the _key field or query the whole KVstore to find out when a certain row was added or edited by maybe using a hidden system field like _time for example.

Unfortunately other than that there is no real way for me to find out or have an accurate estimation of when certain rows were added or edited inside the KVstores 😞

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2023 02:03 PM

While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times.  There are no magic fields in collections, although it would be nice if there were.

You may want to consider adding a timestamp to your collections.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...