Splunk Search

How to save search results to KV store?

New Member

I have a simple search:

index =abc OR index =xxx |transaction DIGEST | eval match_count=mvcount(sourcetype) | eval Digest_MATCH=if(match_count==2,"MATCH","MISSING") | table _time, DIGEST, Digest_MATCH, sourcetype

I want store all rows where digest_match = missing into KV store and lookup values to see if there any matches for missing values in future searches.

0 Karma


Here is a great posting on this subject


Splunk Employee
Splunk Employee

Hi Pragadeesh,

You'll need to use the outputlookup command to push those results into a lookup. From there, you can convert your lookup table to a KV Store.

0 Karma