Knowledge Management

How come when I run inputlookup myLookupTest, it's returning 0 results?

bbritten
Explorer

I created a test KVStore in order to familiarize myself with the API. It has about 20 records in it, all of which are listed under the user nobody (viewable from search). However, when running |inputlookup myLookupTest, I get 0 results despite being in the same app in which the KVStore is visible.

Any idea why that might be the case?

0 Karma
1 Solution

Vijeta
Influencer

Did you define the KV store using lookup editor, what is your KV store name and did you create a lookup from Settings->lookups->Lookup->lookup definitions and create with Type as KV store and give lookup file name as your KV store name.

View solution in original post

Vijeta
Influencer

Did you define the KV store using lookup editor, what is your KV store name and did you create a lookup from Settings->lookups->Lookup->lookup definitions and create with Type as KV store and give lookup file name as your KV store name.

bbritten
Explorer
  • Did you define the KV store using lookup editor? yes
  • What is your KV store name? This is different from the collection name, right? I'm not sure of the store name (I'm brand new to Splunk). The collection name is bbrittenKVTest
  • Did you create a lookup from Settings -> Lookup -> Lookup Definitions? no
  • Did you create it with type as KV and give the lookup file name as your KV store name? no

It sounds like this is what I need to do.

0 Karma

Vijeta
Influencer

Collection name is what I was referring to as KV store name, that is what you need to put when you define your lookup.

0 Karma

bbritten
Explorer

You're amazing! All I had to do was add the definition in Settings -> Lookup -> Lookup Definition and I was able to query the lookup table.

You've already solved my problem, but would you mind providing a little more detail for my own edification? Why does a definition need to be provided? Why wasn't Splunk able to just return the results without it?

Thank you again for your help!

0 Karma

p_gurav
Champion

Can you tell what permission you set for kvstore collection?

0 Karma

bbritten
Explorer

@p_gurav The permissions are {"read": "everyone", "write": "soc_elevated"}

0 Karma

niketn
Legend

@bbritten did you check Search Job Inspector and also search.log? Any additional information there?
For testing can you create few rows and test outputlookup command if that works?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bbritten
Explorer

Looking in the Search Job Inspector, I see that it gives the following message: warn: myLookupTest is invalid If go to the Settings drop-down menu item and select Lookups, I'm also unable to find it in the Lookup Files or Lookup Definitions. The only place I can find it is if I go to the Lookup Editor app and search for it there. Did I perhaps create the lookup in the wrong place?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...