Why am I unable to edit my kvstore lookup with the...

adityapavan18 · ‎05-25-2016

Hi

I have created a kvstore collection as below in collections.conf

[samplecollection]
replicate = true

Then I created a lookup based on the above kvstore collection in transforms.conf

[samplekv_lookup]
collection = samplecollection
external_type = kvstore
fields_list = _key,field1,field2

Now I ran the search below to load data onto my kvstore lookup

|inputlookup old_data,csv | table field1,field2 | outputlookup samplekv_lookup

When I run | inputlookup samplekv_lookup | eval Key = _key | table _key,field1,field2, I see the data with columns key, field1 & field2

Now I want to edit the data in this kvstore. I tried using the Lookup File Editor App for Splunk Enterprise. When opened in the list of lookups, I found "samplecollection" instead of "samplekv_lookup" (I was hoping to see this in the list).

Once I open "samplecollection" to edit in the Lookup Editor app, it only shows me _key column and it doesn't show me the field1, field2 columns which I want to edit.

Is my understanding correct that tje Lookup Editor app can be used to edit kvstore data? What am I doing wrong?

Any help is much appreciated.

LukeMurphey · ‎05-30-2016

I'm looking into this. I'll be tracking the work under http://lukemurphey.net/issues/1360 for details. I suspect this has something to do with ability in KV store to have rows on a per-user basis.

Update 1:
I figured out what is going on. outputlookup stores and inputlookup retrieves rows only for the nobody user whereas the KV editor uses the user that owns the lookup.

Update 2:
Version 2.2 of the lookup editor allows you to select the user context in which to view the rows. This will allow you to select "nobody" which includes the rows that outputlookup stores and inputlookup works with.

alvaro_garcia · ‎09-06-2016

Hello,
I have the same problem with the lasts version (2.3.1) of lookup editor and with Splunk 6.4.1
I set the owner to “Nobody” but when I tried to opened, I only see "_key" column

jsilverbears · ‎10-10-2016

I have actually found the issue here. Your problem is your collection.conf:

[samplecollection]
replicate = true

You don't specifically state the columns in your collection.

I just got this app and I immediately looked at my current setup through it. Every time I am missing a column it's a column that I don't enforce a type with in collections.conf.

The _key column seems to just be a given.

gfuente · ‎10-11-2016

Hello, You are right, adding the fields to the collections.conf solves the issue. Thanks!

LukeMurphey · ‎05-25-2016

I'm looking into this. I have a ticket open with my investigation here: http://lukemurphey.net/issues/1360

LukeMurphey · ‎05-25-2016

Question: may I assume that when you edited the lookup from search using outputlookup that you did so from a user account other than admin? I think I have been able to reproduce the issue but I need to make sure it is the same issue.

adityapavan18 · ‎05-25-2016

Hi Luke,

I ran all commands using the admin user itself.

jmallorquin · ‎05-25-2016

Hi,

Review the version that you are using? I had the same problem time ago.

Hope i help you

adityapavan18 · ‎05-25-2016

I am using the latest version 2.1.2 for app & splunk is on 6.3.0
Is it working for you now? which version are you using?

jmallorquin · ‎05-26-2016

Hi,

I am using 2.1.1 version and it works.

Why am I unable to edit my kvstore lookup with the Lookup File Editor App for Splunk Enterprise?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies