Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to remove entire row from Kv Store lookup by running scheduled search??

Srubhi
Explorer
‎05-03-2023 09:39 AM

we have a search which is feeding data to kv store lookup let say lookup name 'sample_test'.

now i want to run a weekly scheduled search that will compare the index source data and the data in 'sample_test' and remove the entire row from the kv store lookup which are not in index source data.

Example:
KV store data ('sample_test')

XYZ
aA1
bB2
cC3
dD4
eE5


Index Source Data

XYZ
aA1
bB2
cC3
dD4


So ideally, when compare to above 2 tables last row in the kv store lookup in not present my source data i need to run a weekly scheduled search to remove that last row from the KV store.

It would be more helpful if anyone can help me to resolve this issue.

Happy Splunking!!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2023 12:34 PM

I may be over-simplifying, but it looks like you really just need to replace the existing lookup with the search results.

<<your search>>
| outputlookup sample_test key_field=foo
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...