Delete specific entries from KV Store

srinivasgowda · ‎03-09-2021

Hello all,

I am working on getting specific entries deleted once the search runs and holds true.

Below is the detailed outline of what I am trying to achieve.

The recovery_flag in the kv store that contains the data of source is set to 1 and 0 based on the requirement. However, I am trying to delete the entries with recovery_flag = 0 on the next run of the search, this way the unwanted entries are removed. Can you guide me through this.

Thank you.

isoutamo · ‎03-09-2021

Hi
Have you try this: https://splunkbase.splunk.com/app/5328/ ?
I'm using it for kvstore backups on SHC / SH environments, but haven't try it with managing individual keys.
r. Ismo

manjunathmeti · ‎03-09-2021

hi @srinivasgowda,
You can use rest API to delete records in kvstore collection. Replace APP_NAME and KVSTORE_COLLECTION_NAME and run the below command. You can also use tools like the postman to achieve this.

curl -k -u admin:changeme https://SPLUNK_SERVER_IP:8089/servicesNS/nobody/APP_NAME/storage/collections/data/KVSTORE_COLLECTION_NAME -X DELETE -H "Content-Type: application/json" -d '{ "query":{"recovery_flag":0}}'

If this reply helps you, an upvote/like would be appreciated.

Delete specific entries from KV Store

search job inspector

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio