Re: Is outputlookup command atomic?

lukasz92 · ‎08-17-2016

Hi,

Do you know if "outputlookup" is an atomic operation (for both kvstores and csv files)?

I have something like: | inputlookup xyz | (many commands) | outputlookup xyz
I need a guarantee that xyz lookup is either replaced with a new version or left untouched (in case of stopping search, system crash etc).

gfuente · ‎08-18-2016

Hello

From this doc:

http://dev.splunk.com/view/SP-CAAAEY7

Kv Store operations apply to individual records:

Perform Create-Read-Update-Delete (CRUD) operations on individual records using the Splunk REST API and lookups using the Splunk search language.

While the csv files are rewrited entirely:

Requires a full rewrite of a file for edit operations.

So, I would say that the csv files are rewrited completely or not touched, while updating a KV Store could be partial. That´s my understanding from that estatements

Hope it helps

Regards

mtranchita · ‎08-18-2016

Maybe not an answer but thinking this through...
Each search generates artifacts in the dispatch directory. As I understand it each search artifacts are a csv with the results of the search. Each pipe does 'something' to the csv file in a linear way.
Don't know if this is true but using that logic the csv file would need to be completed before it hit the outputlookp pipe.

Is outputlookup command atomic?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk