Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When I try to perform outputlookup on the kvstore, I get the following error:

sidtalup27
Explorer
‎02-16-2023 09:04 AM

Hello,

I have created a KVstore lookup, when I try to perform outputlookup on the kvstore, I get the following error.

Error in 'outputlookup' command: Could not write to collection 'test1': An error occurred while saving to the KV Store

When I refer to the log file, it gives the following information,

02-16-2023 16:56:51.841 ERROR KVStoreLookup [79866 phase_1] - KV Store output failed with err: The provided query was invalid. (Document may not contain '$' or '.' in keys.) message:
02-16-2023 16:56:51.841 ERROR SearchResultsFiles [79866 phase_1] - An error occurred while saving to the KV Store. Look at search.log for more information.
02-16-2023 16:56:51.905 ERROR outputcsv [79866 phase_1] - An error occurred during outputlookup, managed to write 0 rows
02-16-2023 16:56:51.905 ERROR outputcsv [79866 phase_1] - Error in 'outputlookup' command: Could not write to collection 'test1': An error occurred while saving to the KV Store. Look at search.log for more information..

Can you please advise on this.
Thanks in advance.

Siddarth

0 Karma
Reply

sidtalup27
Explorer
‎02-20-2023 04:48 AM

@PickleRick , there is no such data.

Below is the data and respective fields that will be written to the lookup.

sidtalup27_0-1676897147461.png

Below the definition of the KVstore.

sidtalup27_1-1676897254376.png

@PaulPanther , yes, the KV store does exist.

 

--
Thanks,
Siddarth

 

 

0 Karma
Reply

PaulPanther
Builder
‎02-20-2023 07:55 AM

@sidtalup27 The table contains the field key without underscore but your lookup definition only contains the internal key field _key. I assume that your collection looks similiar. If yes please define the field in your collections.conf and in your transforms.conf.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-20-2023 04:17 AM

Your error says:

"Document may not contain '$' or '.' in keys."

Do any of the result fields that you want to save into the kvstore contain $ or . in the field name?

0 Karma
Reply

PaulPanther
Builder
‎02-20-2023 12:50 AM

@sidtalup27 The KV store collection "test1" already exists?  How looks the output of your search query?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...