Skip to content

Updating KV store with outputlookup

Reference:

https://hurricanelabs.com/splunk-tutorials/creating-and-cruding-a-kv-store-in-splunk-part-2/

Update an entry in KV store

Requirements:

  • Provide _key=id (for the specific entry in the KV store)
  • Use append=true

Example

Update the value of field_name of every matching entry in the KV store using the map command:

| inputlookup <kv_store>
`comment("Put any filter conditions here")`
| eval id=_key
| map search="| inputlookup <kv_store> | search _key=$id$ | eval field_name=\"<new value>\" | outputlookup append=true <kv_store>"

Delete an entry in KV store

The following example assumes we have already obtained the value of _key for the specific entry we want to delete:

| inputlookup <kv_store>
| eval id=_key
| where NOT id=<specific key>
| outputlookup <kv_store>