I defined a key as "key" for a KVStore. How to show the key value from an inputlookup command from a KVStore? Thanks.
The kvstore is using a field called _key
to store the key. You can see the values by doing this:
| inputlookup my_kvstore_name
| eval view_key=_key
By default, Splunk is hiding this internal value from you, but you can see it by putting the value into another field.
| inputlookup my_kvstore_name
| rename _key as view_key
worked as well for me; splunk recommend as a guideline to use rename instead of eval where it is possible.
By the way, I assume that when you say: I defined a key as "key" for a KVStore
that you mean you did something like this:
| outputlookup my_kvstore_name key_field="key"
That won't force the kvstore to store its keys in a field named key
. It will output a kvstore and copy the values in the existing field named key
into a hidden field called _key
and use those as the keys.
Yes. I defined a custom key field named as "key", but I tried both queries, and the key field is still missing.
| inputlookup my_kvstore_lookup | eval view_key=key
| inputlookup my_kvstore_lookup | eval view_key=_key
Hmm, well I found this doc:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZH
It says:
The key ID field
By default, each KV Store record has a unique key ID, which is stored in the internal "_key" field. When you use outputlookup
to write to the KV Store, a key ID is autogenerated if you don't specify one explicitly. If you want to modify a specific record, you need to provide its key ID.
To view the key ID field in lookups, add "_key" to the fields_list in the lookup definition.
So you might need to edit transforms.conf and add _key to the fields_list.