Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a KV store that pulls events from an indexer?

naqviah
Explorer
‎10-03-2016 10:52 AM

Hi,

I am trying to create a KV Store that pulls events from an indexer. It should display the Event, Log Line, Domain, and IP. Additionally, it should have a comment box and name of the person who is adding the comment pulled from the user account making the change. The comment box should also have an audit trail since numerous users are able to input a comment for an event.

Can someone help me with this? How should i approach it? Any documentation that will allow me to do this?

Thanks

0 Karma
Reply

dperre_splunk
Splunk Employee
Splunk Employee
‎10-03-2016 01:37 PM

Links with details below but kvstores can be appended just like lookup tables. So you just need to create a search like something below

your search | table event,longline,domain,ip | outputlookup yourkvstorename append=true

Really awesome write up on kvstores here.

http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZK

Similar question here
https://answers.splunk.com/answers/227766/is-there-an-easy-way-to-update-a-record-in-kv-stor.html

And a link to how you can append a kvstore.

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Outputlookup

Reply

naqviah
Explorer
‎10-05-2016 11:17 AM

I am still unable to add a COMMENT TEXT BOX for each event in the table. Also, I need to add a checkbox in front of each event. Please HELP!

0 Karma
Reply

dperre_splunk
Splunk Employee
Splunk Employee
‎10-05-2016 01:56 PM

This sounds like you are trying to make something like the investigator timeline from Enterprise Security.

Also what you are trying to achieve is not what KV Stores are traditionally used for. Have a look at the Splunk Java SDK. With the java sdk you can write your own dashboards and as it's JS you have a lot of flexibility with the scripting language.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...