Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is outputlookup command atomic?

lukasz92
Communicator
‎08-17-2016 06:35 AM

Hi,

Do you know if "outputlookup" is an atomic operation (for both kvstores and csv files)?

I have something like: | inputlookup xyz | (many commands) | outputlookup xyz
I need a guarantee that xyz lookup is either replaced with a new version or left untouched (in case of stopping search, system crash etc).

0 Karma
Reply

gfuente
Motivator
‎08-18-2016 07:16 AM

Hello

From this doc:

http://dev.splunk.com/view/SP-CAAAEY7

Kv Store operations apply to individual records:

Perform Create-Read-Update-Delete (CRUD) operations on individual records using the Splunk REST API and lookups using the Splunk search language.

While the csv files are rewrited entirely:

Requires a full rewrite of a file for edit operations.

So, I would say that the csv files are rewrited completely or not touched, while updating a KV Store could be partial. That´s my understanding from that estatements

Hope it helps

Regards

0 Karma
Reply

mtranchita
Communicator
‎08-18-2016 06:34 AM

Maybe not an answer but thinking this through...
Each search generates artifacts in the dispatch directory. As I understand it each search artifacts are a csv with the results of the search. Each pipe does 'something' to the csv file in a linear way.
Don't know if this is true but using that logic the csv file would need to be completed before it hit the outputlookp pipe.

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...