Migrate your app from using CSV files to KV Store

If your app is currently using CSV files, you can start using KV Store with just a few steps.

Before you convert your app, you should verify that KV Store is the right choice for you. Review the section The KV Store vs. CSV files for a summary of pros and cons for each solution. For example, KV Store is great for frequently-changing data sets, but restricts lookups to running on the search head tier.

If KV Store is a good choice for you, you'll need to do the following to convert your app from using CSV files:

  1. Create a KV Store collection
  2. Update the lookup definition
  3. Write your CSV data to the KV Store
  4. Verify your searches still work

Create a KV Store collection

The simplest way to create a KV Store collection is to create a collections.conf file in your app's /default directory, with the name of the KV Store collection in a stanza name. Nothing else is required.

Here's an example of a collection definition::

#
# Splunk app KV store collection file
#

[csvcoll]

Update the lookup definition

Update your app's lookup definition for KV Store:

  1. Open the app's transforms.conf file (located in the /default or /local directory).
  2. Find the stanza defining the app's lookup:
    • Change the external_type to "kvstore".
    • Add a collection property with the name of the KV Store collection.
    • Note  Don't change the name of the lookup, or else you will break the existing searches and reports in your app.

  3. Save your changes and restart Splunk.

Here's an example of a lookup definition:

[csv_lookup]
external_type = kvstore
collection = csvcoll
fields_list = CustName, CustStreet, CustCity, CustState, CustZip

Write your CSV data to the KV Store

Run a search command that writes the contents of your CSV file to the KV Store:

| inputlookup filename.csv | outputlookup lookup_name

For example:

| inputlookup customers.csv | outputlookup csv_lookup 

Verify your searches still work

Verify the searches in your app still work with the new lookup.