Knowledge Management

How come when I run inputlookup myLookupTest, it's returning 0 results?

bbritten
Explorer

I created a test KVStore in order to familiarize myself with the API. It has about 20 records in it, all of which are listed under the user nobody (viewable from search). However, when running |inputlookup myLookupTest, I get 0 results despite being in the same app in which the KVStore is visible.

Any idea why that might be the case?

0 Karma
1 Solution

Vijeta
Influencer

Did you define the KV store using lookup editor, what is your KV store name and did you create a lookup from Settings->lookups->Lookup->lookup definitions and create with Type as KV store and give lookup file name as your KV store name.

View solution in original post

Vijeta
Influencer

Did you define the KV store using lookup editor, what is your KV store name and did you create a lookup from Settings->lookups->Lookup->lookup definitions and create with Type as KV store and give lookup file name as your KV store name.

bbritten
Explorer
  • Did you define the KV store using lookup editor? yes
  • What is your KV store name? This is different from the collection name, right? I'm not sure of the store name (I'm brand new to Splunk). The collection name is bbrittenKVTest
  • Did you create a lookup from Settings -> Lookup -> Lookup Definitions? no
  • Did you create it with type as KV and give the lookup file name as your KV store name? no

It sounds like this is what I need to do.

0 Karma

Vijeta
Influencer

Collection name is what I was referring to as KV store name, that is what you need to put when you define your lookup.

0 Karma

bbritten
Explorer

You're amazing! All I had to do was add the definition in Settings -> Lookup -> Lookup Definition and I was able to query the lookup table.

You've already solved my problem, but would you mind providing a little more detail for my own edification? Why does a definition need to be provided? Why wasn't Splunk able to just return the results without it?

Thank you again for your help!

0 Karma

p_gurav
Champion

Can you tell what permission you set for kvstore collection?

0 Karma

bbritten
Explorer

@p_gurav The permissions are {"read": "everyone", "write": "soc_elevated"}

0 Karma

niketn
Legend

@bbritten did you check Search Job Inspector and also search.log? Any additional information there?
For testing can you create few rows and test outputlookup command if that works?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bbritten
Explorer

Looking in the Search Job Inspector, I see that it gives the following message: warn: myLookupTest is invalid If go to the Settings drop-down menu item and select Lookups, I'm also unable to find it in the Lookup Files or Lookup Definitions. The only place I can find it is if I go to the Lookup Editor app and search for it there. Did I perhaps create the lookup in the wrong place?

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...