How to delete old data before ingesting new data f...

garrywilmeth · ‎02-23-2023

I have a few spreadsheets that are ingested into Splunk daily. What is the best method to refresh the data, so I don't end up with duplicates? I am looking to do something like this:

Today: Ingest spreadsheet.csv
Tomorrow: delete previous data for spreadsheet.csv and then ingest new data

Thanks,

Garry

gcusello · ‎02-23-2023

Hi @garrywilmeth,

if you're not interested to historical series, you can use the solution from @scelikok .

If instead you need to know the historical situation, you should ingest new data in an index and use time in your searches to identify the values to use.

Ciao.

Giuseppe

scelikok · ‎02-23-2023

Hi @garrywilmeth,

It seems better to use your CSV files as a lookup.

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureCSVlookups

If this reply helps you an upvote and "Accept as Solution" is appreciated.

How to delete old data before ingesting new data from CSV - Refresh Data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation