Knowledge Management

How to show the key from an inputlookup command from a KVStore?

splunkrocks2014
Communicator

I defined a key as "key" for a KVStore. How to show the key value from an inputlookup command from a KVStore? Thanks.

elliotproebstel
Champion

The kvstore is using a field called _key to store the key. You can see the values by doing this:

| inputlookup my_kvstore_name
| eval view_key=_key

By default, Splunk is hiding this internal value from you, but you can see it by putting the value into another field.

mhergh
Explorer

| inputlookup my_kvstore_name
| rename _key as view_key

worked as well for me; splunk recommend as a guideline to use rename instead of eval where it is possible.

elliotproebstel
Champion

By the way, I assume that when you say: I defined a key as "key" for a KVStore that you mean you did something like this:

| outputlookup my_kvstore_name key_field="key"

That won't force the kvstore to store its keys in a field named key. It will output a kvstore and copy the values in the existing field named key into a hidden field called _key and use those as the keys.

0 Karma

splunkrocks2014
Communicator

Yes. I defined a custom key field named as "key", but I tried both queries, and the key field is still missing.

| inputlookup my_kvstore_lookup | eval view_key=key

| inputlookup my_kvstore_lookup | eval view_key=_key
0 Karma

elliotproebstel
Champion

Hmm, well I found this doc:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZH

It says:

The key ID field
By default, each KV Store record has a unique key ID, which is stored in the internal "_key" field. When you use outputlookup to write to the KV Store, a key ID is autogenerated if you don't specify one explicitly. If you want to modify a specific record, you need to provide its key ID.
To view the key ID field in lookups, add "_key" to the fields_list in the lookup definition.

So you might need to edit transforms.conf and add _key to the fields_list.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...