The kvstore is using a field called
_key to store the key. You can see the values by doing this:
| inputlookup my_kvstore_name | eval view_key=_key
By default, Splunk is hiding this internal value from you, but you can see it by putting the value into another field.
By the way, I assume that when you say:
I defined a key as "key" for a KVStore that you mean you did something like this:
| outputlookup my_kvstore_name key_field="key"
That won't force the kvstore to store its keys in a field named
key. It will output a kvstore and copy the values in the existing field named
key into a hidden field called
_key and use those as the keys.
Yes. I defined a custom key field named as "key", but I tried both queries, and the key field is still missing.
| inputlookup my_kvstore_lookup | eval view_key=key | inputlookup my_kvstore_lookup | eval view_key=_key
Hmm, well I found this doc:
The key ID field
By default, each KV Store record has a unique key ID, which is stored in the internal "key" field. When you use
outputlookup to write to the KV Store, a key ID is autogenerated if you don't specify one explicitly. If you want to modify a specific record, you need to provide its key ID.
To view the key ID field in lookups, add "key" to the fields_list in the lookup definition.
So you might need to edit transforms.conf and add key to the fieldslist.
| inputlookup mykvstorename
| rename key as viewkey
worked as well for me; splunk recommend as a guideline to use rename instead of eval where it is possible.