Creating and CRUDing a KV Store in Splunk: Part 2

In Part 1, we covered how to create a KV Store both through the UI, as well as by modifying collections.conf and transforms.conf. We also covered how to edit a KV Store directly using the Splunk Search Language. In this part, we will cover CRUDing our KV Store Collection.



Part 2: CRUD the KV Store

In Part 1, we covered how to create a KV Store both through the UI, as well as by modifying collections.conf and transforms.conf. We also covered how to edit a KV Store directly using the Splunk Search Language. In this part, we will cover CRUDing our KV Store Collection.

Remember, we will be interacting with the Lookup Definition (task_lookup) we set up in order to CRUD the data, as we cannot interact with the KV Store (task_collection) directly when using the Splunk Search Language.

Reading

Reading is the easiest. To read all the results run:

| inputlookup task_lookup

And, if we want to find a specific row, all we need to do is run:

| inputlookup task_lookup | eval key=_key | search key=<key_id>

Creating

Go to the Splunk task app and in the default search window paste in the following:

| inputlookup task_lookup | eval key=_key | append [| stats count | eval
Task_Name="Demo Task" | eval Task_Description="Description of task." | eval 
Estimated_Completion_Date="September 5th" | eval Notes="Some additional 
notes." | eval Status="In Progress"] | table key, Task_Name,
Task_Description, Estimated_Completion_Date, Notes, Status | outputlookup 
task_lookup

This search first pulls all the values from the lookup and then pulls out the hidden _key field by running | eval key=_key. We will then run append and eval out all of our values. Format them into a table and then output the values back into the lookup.

Updating

In order to update our values, all we need to do is change our search to find the specific key we want to modify. Then we can eval out new values for our fields, like so:

| inputlookup task_lookup | eval key=_key | WHERE key=<specific_id> | eval 
Task_Name="Demo Task Modified" | eval Task_Description="This is a modified
description of the task" | eval Estimated_Completion_Date="September 5th" | 
eval Notes="These are some modified notes." | eval Status="Complete" | 
outputlookup task_lookup append=t

The key part is the append=t at the end. Otherwise, we would just overwrite the lookup.

Deleting

Deleting a specific value from our KV store is also easy to do:

| inputlookup task_lookup | eval key=_key | WHERE NOT key=<specific_id> | 
outputlookup task_lookup

Simply remove the field you don’t want based on the ID of the key and output the rest of the values back into the KV.

That’s it! You’ve now successfully created a KV Store and Lookup Definition, as well as learned how to successfully CRUD a KV Store Collection’s data.




Close off Canvas Menu