I tried it too.its not working

should i enable anything or add any property while creating lookup file

Are you talking about lookup files or kv stores?

Can you describe what is not 'working' and give an example of what you see when you try the commands

Its KV store..

when i try to add a row its updating the existing row

example, instead of this output i am getting

this,

I tried these 2 solutions, I thought i dont have write access but i have i can update the  file but not able to add a new row

| inputlookup table_a
      |search name="A" |eval rating=5 ,comment="Execellent" key=_key| outputlookup  append=true  key_field=key table_a

-----------------------------

| inputlookup table_a
      |search name="A" |eval rating=5 ,comment="Execellent" | outputlookup  append=true table_a

You are not doing what I suggested in my first response 

Remove the key_field=_key

You are explicitly telling it to update the SAME row in KV store

Please read the my previous response fully...I have tried in both ways

Anyways thanks for your response. I found a solution 

@sivaranjiniG Please let us know the solution as we are facing the same task.

Hi @cadrija,

I’m a Community Moderator in the Splunk Community.

This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you!