Solved: How do you add a field/column to an existing kvsto...

snorri · ‎09-24-2018

We have a kvstore that has been used for about a year.

Now we need to add a new field/column to the kvstore, but we can't find any info on how to do this or if it's even possible.

So my question is: is this possible? if so, how?

Or is the only option to create a completely new kvstore?

493669 · ‎09-24-2018

Hi @snorri,

Add the new field name in transforms.conf and collections.conf under that kv store lookup stanza.
like in transforms.conf add under fields_list comma separated value.
and in collections.conf >> field.fieldname = string/number

View solution in original post

493669 · ‎09-24-2018

Hi @snorri,

Add the new field name in transforms.conf and collections.conf under that kv store lookup stanza.
like in transforms.conf add under fields_list comma separated value.
and in collections.conf >> field.fieldname = string/number

snorri · ‎09-24-2018

hm. I have already done this, also in the lookup definitions. Is it enough to _bump the splunk version or do I have to restart splunk for the changes to take effect?

493669 · ‎09-24-2018

you need to restart splunk

JTS911 · ‎02-08-2024

OR run <splunkweb>/en-US/debug/refresh

snorri · ‎09-25-2018

I added the field in: lookup defenition, collections.conf and transforms.conf.
After restarting the new field appeard. Thanks alot!

sfatnass · ‎09-25-2018

if still not working can you show us your conf?

snorri · ‎09-25-2018

I added the field in: lookup defenition, collections.conf and transforms.conf.
After restarting the new field appeard. Thanks alot!

How do you add a field/column to an existing kvstore?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...