Solved: How do you add a field/column to an existing kvsto...

snorri · ‎09-24-2018

We have a kvstore that has been used for about a year.

Now we need to add a new field/column to the kvstore, but we can't find any info on how to do this or if it's even possible.

So my question is: is this possible? if so, how?

Or is the only option to create a completely new kvstore?

493669 · ‎09-24-2018

Hi @snorri,

Add the new field name in transforms.conf and collections.conf under that kv store lookup stanza.
like in transforms.conf add under fields_list comma separated value.
and in collections.conf >> field.fieldname = string/number

View solution in original post

493669 · ‎09-24-2018

Hi @snorri,

Add the new field name in transforms.conf and collections.conf under that kv store lookup stanza.
like in transforms.conf add under fields_list comma separated value.
and in collections.conf >> field.fieldname = string/number

snorri · ‎09-24-2018

hm. I have already done this, also in the lookup definitions. Is it enough to _bump the splunk version or do I have to restart splunk for the changes to take effect?

493669 · ‎09-24-2018

you need to restart splunk

snorri · ‎09-25-2018

I added the field in: lookup defenition, collections.conf and transforms.conf.
After restarting the new field appeard. Thanks alot!

sfatnass · ‎09-25-2018

if still not working can you show us your conf?

snorri · ‎09-25-2018

I added the field in: lookup defenition, collections.conf and transforms.conf.
After restarting the new field appeard. Thanks alot!

How do you add a field/column to an existing kvstore?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update