Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I set up a KV Store lookup?

danielbb
Motivator
‎04-09-2025 08:58 AM

I created a KV Store lookup using the "Splunk App for Lookup File Editing" app, however when I look at Settings>Lookups, the lookup definition doesn't show up.  In addition, when running

| inputlookup <name>

I get the error "The lookup table '<name>' requires a .csv or KV store lookup definition"
 
What do I miss? 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2025 03:05 PM

HI @danielbb 

You need to create the lookup definition once you have created the KV Store collection in the lookup editor app.

Go to Settings->Lookups->Lookup Definitions.

Create a new one as below - filling in the relevant details:

livehybrid_0-1744236260568.png

 

Then you should be able to search it using |inputlookup

Note: I generally try and call the definition something different to the collection/kv store name but you do not need to.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-09-2025 11:16 AM

Typically that's a result of wrong scope or insufficient access - your lookup is either private or exported only to the app you've created it in but you're searching from another app (typically the search app)

Reply

danielbb
Motivator
‎04-11-2025 09:08 AM

Thank you @PickleRick, it was a confusion about the app where the collection and the definition exist. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-09-2025 03:27 PM
This is most common issue if you don’t see and can’t use it from other options.
I’m not sure/haven’t checked I last times what options you can set with this app. In most cases with small or mid sized lookups this works (enough) well, but if you have huge ones and/or you are needing e.g. accelerations then it’s easier to define those via conf files.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...