Splunk Enterprise

How to find KVstore last update date?

splunk_enjoyer1
Explorer

Hello,

The question is pretty simple, is there any way to query a KVstore to be able to find the last time that KVstore was updated?

I know how to do what for an Index but the query doesn't work for KVstores 😞

Thank you

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times.  There are no magic fields in collections, although it would be nice if there were.

You may want to consider adding a timestamp to your collections.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What exactly are you looking for?

Each "row" in a KVStore collection can be updated individually so there is no one "update time" for a KVStore.

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunk_enjoyer1
Explorer

Basically we had a few scripts that were being ran via cronjobs and those scripts would update the KVstores periodically.

But at some point in time some scripts stopped working and I wanted to know if there was any way possible to check in Splunk when a KVstore was last updated.

Is there any way to check when a row was added/edited to a KVstore? Through querying the _key for example.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

AFAIK,  entries in KVStores are not timestamped until you explicitly put a timestamp field in them.

Perhaps there's something in the data stored in the collection that might hint at how current it is?

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunk_enjoyer1
Explorer

I thought there would be a way to query each row using the _key field or query the whole KVstore to find out when a certain row was added or edited by maybe using a hidden system field like _time for example.

Unfortunately other than that there is no real way for me to find out or have an accurate estimation of when certain rows were added or edited inside the KVstores 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times.  There are no magic fields in collections, although it would be nice if there were.

You may want to consider adding a timestamp to your collections.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...