Creating and CRUDing a KV Store in Splunk: Part 2

Part 2: CRUD the KV Store

In Part 1, we covered how to create a KV Store both through the UI, as well as by modifying collections.conf and transforms.conf. We also covered how to edit a KV Store directly using the Splunk Search Language. In this part, we will cover CRUDing our KV Store Collection.

Remember, we will be interacting with the Lookup Definition (task_lookup) we set up in order to CRUD the data, as we cannot interact with the KV Store (task_collection) directly when using the Splunk Search Language.

Reading

Reading is the easiest. To read all the results run:

And, if we want to find a specific row, all we need to do is run:

Creating

Go to the Splunk task app and in the default search window paste in the following:

This search first pulls all the values from the lookup and then pulls out the hidden _key field by running | eval key=_key. We will then run append and eval out all of our values. Format them into a table and then output the values back into the lookup.

Updating

In order to update our values, all we need to do is change our search to find the specific key we want to modify. Then we can eval out new values for our fields, like so:

The key part is the append=t at the end. Otherwise, we would just overwrite the lookup.

Deleting

Deleting a specific value from our KV store is also easy to do:

Simply remove the field you don’t want based on the ID of the key and output the rest of the values back into the KV.

That’s it! You’ve now successfully created a KV Store and Lookup Definition, as well as learned how to successfully CRUD a KV Store Collection’s data.