Solved: Moving KVstore lookup using "Lookup definitions" d...

99eaglez · ‎04-14-2025

After moving a KVstore to a new Application, Splunk can not longer render the lookup.

When moving a KVstore using the "move" link in "Lookup definitions" it only moves the transforms.conf stanza and not the collections.conf stanza.

The on-prem solution is to manually move collections.conf but this cannot be done in Splunk Cloud.

99eaglez · ‎04-14-2025

Although it looks like you should be able to use the "move" link in "Lookup definitions", you cannot.

The best way to achieve this is to create a new KVstore in the desired location then copy the KVstore data there.

| inputlookup my_old_kvstore
| outputlookup my_new_kvstore

I did create a Splunk Idea to resolve this issue. Please vote for it here.

View solution in original post

99eaglez · ‎04-14-2025

Although it looks like you should be able to use the "move" link in "Lookup definitions", you cannot.

The best way to achieve this is to create a new KVstore in the desired location then copy the KVstore data there.

| inputlookup my_old_kvstore
| outputlookup my_new_kvstore

I did create a Splunk Idea to resolve this issue. Please vote for it here.

Moving KVstore lookup using "Lookup definitions" does not work

administration

development

using Splunk Cloud

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?