Purging lookup table of old entries

saurabhkunte · ‎11-29-2017

Hi All,

I have a lookup table where I am maintaining States of a field. It's rather a chatty table and grows to a large size over time. I would like to purge the entries in the lookup table older than 2 months and run this on daily schedule. How would I do that ?

The fields contain _time field which can be used to purge older rows in the lookup. Any help appreciated.

Thank you.

kamlesh_vaghela · ‎11-29-2017

@saurabhkunte,

Can you please try this search?

Execute this search for that time window span whose record you want to keep.

| inputlookup my_csv_lookup | addinfo | where ((NOT isnum(info_max_time)) OR _time > info_min_time AND _time < info_max_time)

This search will give you your expected rows in lookup.

| inputlookup my_csv_lookup | addinfo | where ((NOT isnum(info_max_time)) OR _time > info_min_time AND _time < info_max_time) | outputlookup my_csv_lookup

This search will overwrite lookup file with your expected rows.

Thanks

Purging lookup table of old entries

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

Purging lookup table of old entries

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...