Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

identity automatic lookup does not work

Pony0
Observer
‎11-09-2023 05:12 AM

Hi !

I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retrieve it with this query :

 

 

 

| inputlookup ES_identity_kvstore

 

 

 

while that one :

 

 

 

index=my_index | lookup ES_identity_kvstore...

 

 

 

throws me an error :

 

 

 

[comma separated list of my indexers] phase_0 - Streamed search execute failed because: Error in 'lookup' command: Cannot find the destination field 'my_new_field' in the lookup table 'ES_identity_kvstore'..

 

 

 

still, with this following query forcing the SH to run the lookup I can retrieve my new field :

 

 

 

index=my_index | lookup local=true ES_identity_kvstore...

 

 

 

collections.conf (with replicate=true) and props.conf are correctly updated on the SH so I think I am maybe missing something on my indexers configuration but can not figure out what it is... 

Do you have any idea ?

Thanks !

Labels (2)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...