Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is kvstore update failing with code 115?

wpreston
Motivator
‎01-19-2016 06:42 AM

I've got a kvstore lookup who's data is updated every day from a scheduled search. I built it using the ideas that @dwaddle and @starcher presented at .conf2015 (presentation here if anyone is interested). This worked great for a few months, but now I'm getting an error message whenever the updating search runs. Neither the updating search nor structure of the data have changed so I don't think it has anything to do with the search itself. When the updating search runs, it returns a table of data but gets the following message when it tries to write to the kvstore:

"Could not append to collection 'CollectionOfIncidents': an error occurred while saving to the collection.  See search.log for more details."

When I look in search.log there is one more message:

ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''

Any ideas as to what this error code means or what could be causing the update to fail?

0 Karma
Reply

claudio_manig
Communicator
‎10-19-2016 02:50 AM

Same here, did nromito's polst helped you out to fix it?

0 Karma
Reply

briancronrath
Contributor
‎08-02-2018 03:54 PM

I know this post is old, but in case the answer here doesn't fix it for folks, I recently resolved this issue myself by removing an fields with a "." character in the name. Looks like it was breaking the ability to append.

0 Karma
Reply

nromito_splunk
Splunk Employee
Splunk Employee
‎03-16-2016 09:27 AM

The reason this message is displayed is because you're trying to write a multi-valued _key field to your KV Store.
For example:
I create a KV Store with the following values:
'{"name":"indexer1","id":123,"address":{"street":"250 Brannan","city":"San Francisco"}}'
'{"name":"indexer1","id":124,"address":{"street":"250 Brannan","city":"San Francisco"}}'
I then write a search like this:

index = _internal | head 1 | eval name = "indexer1"| lookup test_lookup name OUTPUT _key | outputlookup test_lookup append=true

This means my one event from the search on _internal will match both of the KV Store entries, and we create a new field=_key for that event due to the OUTPUT of the lookup. Since we matched two entries in the KV Store, the _key field on the event will evaluate to something like "_key" : [ "56e30ef4af0001b2aa352761", "56e30f0baf0001b2aa352762" ]. Since Splunk's KV Store only allows a single, unique value for _key, the search fails with the cryptic message ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''

tl;dr revise your search query, KV Store collection, or transforms.conf (max_matches=1) to ensure that you will not match an event to multiple KV Store entries when trying to write to the _key field.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2016 07:33 AM

What platform?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wpreston
Motivator
‎01-19-2016 08:20 AM

Sorry, should have included that!

Splunk version: 6.3
OS: Windows 2008 R2

0 Karma
Reply

robert_miller
Path Finder
‎02-01-2016 02:26 PM

We are also starting to see this same error. Hopefully someone has a solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top