Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create data according to search results?

NimrodSky
Explorer
‎11-03-2015 08:02 AM

Hi all,

I"m kind of new to Splunk to maybe I am not using the right terms, but I need help with this scenario:

I have a stream of events indexed in my Splunk, where events can be "user_added" or "user_removed". I want to create a database with valid users, meaning that when I get "user_added" I will add the username to a new table, and when I get "user_removed" I will remove it from the table.

Thanks for your help

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-03-2015 12:35 PM

You need to create a KV Store Collection (your DB), then start a Real-Time search with script actions to call the REST Endpoints (described in link below) to add and remove individual records.

http://dev.splunk.com/view/SP-CAAAEZG

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-03-2015 12:35 PM

You need to create a KV Store Collection (your DB), then start a Real-Time search with script actions to call the REST Endpoints (described in link below) to add and remove individual records.

http://dev.splunk.com/view/SP-CAAAEZG

Reply
Solved! Jump to solution

DMohn
Motivator
‎11-03-2015 08:34 AM

Can you please specify what you mean with "creating a database"? Do you want a Splunk report with all valid users, or do you really want to export the search results into a database?

0 Karma
Reply
Solved! Jump to solution

NimrodSky
Explorer
‎11-03-2015 11:25 PM

I want this list to be available for other searchs, so I think I need to export the results, and not only that, I want to remove existing data according to new results

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...