Is there any possibility to over write the index data ,
for example the data is indexing by the below query.
| inputlookup sample_Data.csv | collect index= Collected_data
if i indexing the some other data to the same index ,
in this scenario the old data in the index should be over write by the new data , if it is possible , can you please explain how to do it.
| inputlookup sample_Data2.csv | collect index= Collected_data
Hi @vinod743374,
you cannot modify any Splunk indexed data.
If you want a list of events always updated, you have to put them in a lookup or a KV Store.
Ciao.
Giuseppe
Hi @vinod743374,
you cannot modify any Splunk indexed data.
If you want a list of events always updated, you have to put them in a lookup or a KV Store.
Ciao.
Giuseppe
Hi @vinod743374,
tell me how can help you more.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
can you help me with any other alternative solution for my application.
is there any command or search query to delete the previous data (sample_data.csv) in index and indexing only the latest data (sample_data2.csv).
| inputlookup sample_data2.csv | collect index= Collected_data.
Hi @vinod743374,
you have to stop to think to Splunk as a DB!
Splunk indexed logs that are no longer editable until cleared!
If you need an always up-to-date situation of your data, you can create a search from your indexed data and save the results in a lookup using the outputlookup command.
At this point you can modify the data in the lookup that it's editable: in other words you can modify the data in the lookup but not in the Splunk indexes where they remain unchanged.
You can make changes to the lookup data using the Lookup Editor App or a specific search or JavaScript.
With Lookup Editor App it's very easy modify data but not controlled and not so beautiful.
Instead, updating lookup in a dashboard (using a search or a JS) it's not a five-minute work that can be suggested with an answer, but it does take time and Splunk knowledge.
To give you a hint of the steps to make it, you need to:
I'm sorry I can't help you more but it's not an immediate thing!
Ciao.
Giuseppe