I have a lookup which is based on KV store. The lookup contains thousands of rows. We want to delete rows from this lookup which are older than 7 days.  To give an idea this is how the lookup looks like except that it contains thousands of rows. my_date name age Sep-1-2020 Rupert 20 Aug-31-2020 Sam 30 Aug-30-2020 Tony 25 Aug-29-2020 Prince 27 Aug-28-2020 Tom 24 Aug-27-2020 Sean 28 Aug-26-2020 Roger 21    We keep on appending new data to this lookup on a daily basis but we don't really care about data which are 7 days old and hence want to remove those rows. How do I do remove the rows efficiently from this KV store based lookup. I know the classic way to do this would be to search for rows that are newer than 7 days and output the results to the same lookup. Something like,   inputlookup my_lookup | where date > now()-7 days | outputlookup my_lookup     But given that the lookup contains tons of rows, I would like to do this efficiently and remove just the old rows instead of writing the entire result set again. This should be possible with KV store but I am unable to figure out how.   ... View more

I have this query which when I run, index=*aws_config* resourceType=TERM("AWS::EC2::Volume") | search ARN="arn:aws:ec2:eu-west-1:848889366260:volume/vol-0ecf419c9cd71857c" | table ARN, "tags.Genie.ArchPath" | dedup ARN gives following results. Notice that value of field "tags.Genie.ArchPath" is blank. This is what I expect +-----------------------------------------------------------------+---------------------+ | ARN | tags.Genie.ArchPath | +-----------------------------------------------------------------+---------------------+ | arn:aws:ec2:eu-west-1:848889366260:volume/vol-0ecf419c9cd71857c | | +-----------------------------------------------------------------+---------------------+ However when change the query so that dedup is called earlier, I get strange results, index=*aws_config* resourceType=TERM("AWS::EC2::Volume") | dedup ARN | table ARN, "tags.Genie.ArchPath" | search ARN="arn:aws:ec2:eu-west-1:848889366260:volume/vol-0ecf419c9cd71857c" The results I get are as shown below. Now the value of field "tags.Genie.ArchPath" is not blank. It strangely is a pipe(|) separated concatenation of source, host and sourcetype. +----------------------------------+--------------------------------------------------+ | ARN | tags.Adobe.ArchPath | +----------------------------------+--------------------------------------------------+ | arn:aws:ec2:eu-west-1:8488893662 | | | 60:volume/vol-0ecf419c9cd71857c | source::mavl://adobe-mavlink-prod-confi | | | g/AWSLogs/848889366260/Config/eu-west- | | | 1/2020/4/26/ConfigSnapshot/84888936626 | | | 0_Config_eu-west-1_ConfigSnapshot_2020 | | | 0426T110637Z_6375f945-8932-4196-ab9f-27 | | | 1c3333c55a.json.gz|host::840136feca32|aws:config | +----------------------------------+--------------------------------------------------+ I fail to understand shy this is happening. Ideally both the queries should give same results. Would really appreciate if someone can help here. Thanks, Ashish ... View more

Hello there, Is there a way to address all fields case insensitively. To illustrate my point I have this query, index=*aws_config* resourceType="AWS::EC2::Volume" | eval tag_CostCenter=If(isnotnull('tags.Brand.CostCenter') OR isnotnull('tags.brand.costcenter') OR isnotnull('tags.brand.Costcenter' OR isnotnull('tags.brand.costCenter' OR isnotnull('tags.brand.COSTCENTER' OR isnotnull('tags.brand.costCENTER'), "Yes", "No") My data can have fields CostCenter, costCenter, COSTCENTER and many other case variations (And there can be tens of variations). Currently I am handling them by separating each variation with an OR. Is there a way to collectively query on all such case variations of a a field name instead of using multiple OR clauses. I know we can use coalesce or field aliases but that still means that I need to specify all possible field names somewhere. Thanks. ... View more