Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to remove entire row from Kv Store lookup by running scheduled search??

Srubhi
Path Finder
‎05-03-2023 09:39 AM

we have a search which is feeding data to kv store lookup let say lookup name 'sample_test'.

now i want to run a weekly scheduled search that will compare the index source data and the data in 'sample_test' and remove the entire row from the kv store lookup which are not in index source data.

Example:
KV store data ('sample_test')

XYZ
aA1
bB2
cC3
dD4
eE5


Index Source Data

XYZ
aA1
bB2
cC3
dD4


So ideally, when compare to above 2 tables last row in the kv store lookup in not present my source data i need to run a weekly scheduled search to remove that last row from the KV store.

It would be more helpful if anyone can help me to resolve this issue.

Happy Splunking!!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2023 12:34 PM

I may be over-simplifying, but it looks like you really just need to replace the existing lookup with the search results.

<<your search>>
| outputlookup sample_test key_field=foo
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...