About KV Store collections

The KV Store stores your data as key-value pairs in collections. Here are the main concepts:

  • Collections are the containers for your data, similar to a database table. Collections exist within the context of a given app.
  • Records contain each entry of your data, similar to a row in a database table.
  • Fields correspond to key names, similar to the columns in a database table. Fields contain the values of your data as a JavaScript Object Notation (JSON) document. Although not required, you can enforce data types (number, boolean, time, and string) for field values.
  • _key is a reserved field that contains the unique ID for each record. If you don't explicitly specify the _key value, the app auto-generates one.
  • _user is a reserved field that contains the user ID for each record. This field cannot be overridden.
  • Accelerations improve search performance by making searches that contain accelerated fields return faster. Accelerations store a small portion of the collection's data set in an easy-to-traverse form.

For example, let's say you want to save information about transactions in the KV Store, such as the transaction ID, the status, the name of the user assigned to it currently, and a memo. You could create a collection called "transactions_collection", with fields called "transaction_id", "transaction_status", "transaction_owner", and "transaction_memo". Each transaction you add to the collection corresponds to a record.

To add KV Store functionality to an app:

  • Create a collection and optionally define a list of fields with data types using configuration files or the REST API.
  • Perform Create-Read-Update-Delete (CRUD) operations using search lookup commands and the Splunk REST API.
  • Manage collections using the REST API.