Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to remove entire row from Kv Store lookup by running scheduled search??

Srubhi
Explorer
‎05-03-2023 09:39 AM

we have a search which is feeding data to kv store lookup let say lookup name 'sample_test'.

now i want to run a weekly scheduled search that will compare the index source data and the data in 'sample_test' and remove the entire row from the kv store lookup which are not in index source data.

Example:
KV store data ('sample_test')

XYZ
aA1
bB2
cC3
dD4
eE5


Index Source Data

XYZ
aA1
bB2
cC3
dD4


So ideally, when compare to above 2 tables last row in the kv store lookup in not present my source data i need to run a weekly scheduled search to remove that last row from the KV store.

It would be more helpful if anyone can help me to resolve this issue.

Happy Splunking!!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2023 12:34 PM

I may be over-simplifying, but it looks like you really just need to replace the existing lookup with the search results.

<<your search>>
| outputlookup sample_test key_field=foo
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...