we have a search which is feeding data to kv store lookup let say lookup name 'sample_test'.now i want to run a weekly scheduled search that will compare the index source data and the data in 'sample_test' and remove the entire row from the kv store lookup which are not in index source data.Example:KV store data ('sample_test')
Index Source Data
So ideally, when compare to above 2 tables last row in the kv store lookup in not present my source data i need to run a weekly scheduled search to remove that last row from the KV store.It would be more helpful if anyone can help me to resolve this issue.Happy Splunking!!
I may be over-simplifying, but it looks like you really just need to replace the existing lookup with the search results.
| outputlookup sample_test key_field=foo