Splunk Enterprise

How to find KVstore last update date?

splunk_enjoyer1
Explorer

Hello,

The question is pretty simple, is there any way to query a KVstore to be able to find the last time that KVstore was updated?

I know how to do what for an Index but the query doesn't work for KVstores 😞

Thank you

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times.  There are no magic fields in collections, although it would be nice if there were.

You may want to consider adding a timestamp to your collections.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What exactly are you looking for?

Each "row" in a KVStore collection can be updated individually so there is no one "update time" for a KVStore.

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunk_enjoyer1
Explorer

Basically we had a few scripts that were being ran via cronjobs and those scripts would update the KVstores periodically.

But at some point in time some scripts stopped working and I wanted to know if there was any way possible to check in Splunk when a KVstore was last updated.

Is there any way to check when a row was added/edited to a KVstore? Through querying the _key for example.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

AFAIK,  entries in KVStores are not timestamped until you explicitly put a timestamp field in them.

Perhaps there's something in the data stored in the collection that might hint at how current it is?

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunk_enjoyer1
Explorer

I thought there would be a way to query each row using the _key field or query the whole KVstore to find out when a certain row was added or edited by maybe using a hidden system field like _time for example.

Unfortunately other than that there is no real way for me to find out or have an accurate estimation of when certain rows were added or edited inside the KVstores 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

While you can get a lot of information about the KVStore from REST commands (| rest /services/kvstore) that doesn't include any data update times.  There are no magic fields in collections, although it would be nice if there were.

You may want to consider adding a timestamp to your collections.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...