topic Re: Why is kvstore update failing with code 115? in Knowledge Management

Why is kvstore update failing with code 115?

wpreston — Tue, 19 Jan 2016 14:42:53 GMT

I've got a kvstore lookup who's data is updated every day from a scheduled search. I built it using the ideas that @dwaddle and @starcher presented at .conf2015 (presentation here if anyone is interested). This worked great for a few months, but now I'm getting an error message whenever the updating search runs. Neither the updating search nor structure of the data have changed so I don't think it has anything to do with the search itself. When the updating search runs, it returns a table of data but gets the following message when it tries to write to the kvstore:

"Could not append to collection 'CollectionOfIncidents': an error occurred while saving to the collection.  See search.log for more details."

When I look in search.log there is one more message:

ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''

Any ideas as to what this error code means or what could be causing the update to fail?

Re: Why is kvstore update failing with code 115?

richgalloway — Tue, 19 Jan 2016 15:33:37 GMT

What platform?

Re: Why is kvstore update failing with code 115?

wpreston — Tue, 19 Jan 2016 16:20:32 GMT

Sorry, should have included that!

Splunk version: 6.3
OS: Windows 2008 R2

Re: Why is kvstore update failing with code 115?

robert_miller — Mon, 01 Feb 2016 22:26:41 GMT

We are also starting to see this same error. Hopefully someone has a solution.

Re: Why is kvstore update failing with code 115?

nromito_splunk — Tue, 29 Sep 2020 09:07:10 GMT

The reason this message is displayed is because you're trying to write a multi-valued _key field to your KV Store.
For example:
I create a KV Store with the following values:
'{"name":"indexer1","id":123,"address":{"street":"250 Brannan","city":"San Francisco"}}'
'{"name":"indexer1","id":124,"address":{"street":"250 Brannan","city":"San Francisco"}}'
I then write a search like this:

index = _internal | head 1 | eval name = "indexer1"| lookup test_lookup name OUTPUT _key | outputlookup test_lookup append=true

This means my one event from the search on _internal will match both of the KV Store entries, and we create a new field=_key for that event due to the OUTPUT of the lookup. Since we matched two entries in the KV Store, the _key field on the event will evaluate to something like "_key" : [ "56e30ef4af0001b2aa352761", "56e30f0baf0001b2aa352762" ]. Since Splunk's KV Store only allows a single, unique value for _key, the search fails with the cryptic message ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''

tl;dr revise your search query, KV Store collection, or transforms.conf (max_matches=1) to ensure that you will not match an event to multiple KV Store entries when trying to write to the _key field.

Re: Why is kvstore update failing with code 115?

claudio_manig — Wed, 19 Oct 2016 09:50:26 GMT

Same here, did nromito's polst helped you out to fix it?

Re: Why is kvstore update failing with code 115?

briancronrath — Thu, 02 Aug 2018 22:54:17 GMT

I know this post is old, but in case the answer here doesn't fix it for folks, I recently resolved this issue myself by removing an fields with a "." character in the name. Looks like it was breaking the ability to append.