Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Update kvstore based on recalculated metrics?

sgtlongwell
New Member
‎08-22-2022 06:09 PM

I have a kvstore like below populated with about 1mil rows. 

_key name count1 count2 calculated_number1 calculated_number2
sha256 hash Joe Cool  1 2 3 4

 

How can I update the kvstore where I update the two counts and recalculate the two calculated numbers based on the newly updated counts? I am trying not to read in all 1 million rows and overwrite if I dont have to. 

Any potential pathways are welcome and I am here to learn. Thank you all. 

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 09:57 PM

With a kvstore, outputlookup command will replace the existing entry as long as you supply the original _key variable - it will not overwrite other rows if you use append=t, see example 6 here

https://docs.splunk.com/Documentation/Splunk/8.2.7/SearchReference/Outputlookup#Examples

 

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...