Are '.' characters in KV lookup field names suppor...

jthunnissen · ‎11-08-2018

I notice that whenever I create a KV-store lookup definition with a field containing a '.' character, it does not work properly. Surrounding the fieldname with """ does not help.

Writing to the lookup with the outputlookup command results in the message:
"Could not write to collection 'my_collection': An error occurred while saving to the KV Store.

When I remove the '.' character(s) from the field names in de lookup definition it works again.

gjanders · ‎11-11-2018

According to mongodb

 Restrictions on Field Names

        Field names cannot contain the null character.
        Top-level field names cannot start with the dollar sign ($) character.
        Otherwise, starting in MongoDB 3.6, the server permits storage of field names that contain dots (i.e. .) and dollar signs (i.e. $).

I know Splunk 7 uses an older version of mongodb (3.4 perhaps), I believe Splunk 7.2.x uses 3.6 but I also could not use "." characters in field names in that version, so I suspect you will need to avoid the $ symbol and the . symbol is field names via kvstore.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Are '.' characters in KV lookup field names supported?

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?