Splunk Search

Automated lookup using KVstore lookup

Path Finder

I have a KV store collection that is populated.  I have a lookup definition pointing to the KV store.  If you use the kvstore lookup definition in a search, I get matching results and everything works as expected.  


index=* source=jello
| lookup kvstore_lookup ip as srcip outputnew city as src_city


However, if I move that into an automatic lookup it does not work. 

Before using the kvstore I was using a csv lookup and the automatic lookups where working fine.  The csv grew to 122mb so I populated a kvstore with the below.  


| inputlookup old_csv_lookup 
| outputlookup kvstore_lookup


Permissions on the automatic lookups are global, everyone read, admin write.  I can see in the search log that its calling the automatic lookup "Will use Lookup: Lookup-......" but the the fields that are supposed to be added in from the lookup dont populate.

Also, I am using matchtype=CIDR for this lookup definition.

Any ideas why the automatic lookup is not working now that its using the kvstore? 

Labels (1)
Tags (1)
0 Karma

Path Finder

For anyone tracking this. If you  migrate to wiredTiger you will loose the metrics for "Accelerations" and "Accelerated Size (MB)".  If you want to fix this you can add these regexes to the existing search in the DMC-->"KV Store Instance"-->"Collection Metrics" panel

| rex field=data "nindexes\"\:(?<nindexes>\d+)\,"

| rex field=data "totalIndexeSize\"\:(?<totalIndexSize>\d+)\,"


0 Karma

Path Finder

actually yes:

found it for reference :


Enable replication for a KV store collection
In Splunk Enterprise, KV Store collections are not bundle-replicated to indexers by default, and lookups run locally on the search head rather than on remote peers. When you enable replication for a KV Store collection, you can run the lookups on your indexers which let you use automatic lookups with your KV Store collections.

To enable replication for a KV Store collection and allow lookups against that collection to be automatic:

  1. Open collections.conf.
    Set replicate to true in the stanza for the collection.
  2. This parameter is set to false by default.
    Restart Splunk Enterprise to apply your changes.

0 Karma

Path Finder

That's interesting.  Not sure how I haven't come across that document before.  We must have some other issues on this particular instance because replicating the KV store to the indexers did not help.  Also, when you look at the kvstore pages in the DMC it doesn't show the accelerated fields status either.  

Thanks for the info!

0 Karma

Path Finder

I have run into exactly this issue and was going to post on it.

symptoms: like above, exact replica configuration using csv works just fine.

executing the lookup piped in spl works just fine

defining the same lookup on a data model works just fine.


just the automatic lookup doesnt, I have tried both on sourcetype and source

0 Karma

Path Finder

In a way I am glad to hear someone else is having this issue! lol.  Have you found any solutions?  Possible bug?

0 Karma


Hi !

I am facing a very similar issue : after adding a new field to my KV store automatic lookup doesn't work and never returns my new field in my events but I can manually retrieve it with this query :

| inputlookup my_kvstore

but that one :

index=my_index | lookup my_kvstore... 

throws an error :

[comma separated of my indexers list] phase_0 - Streamed search execute failed because: Error in 'lookup' command: Cannot find the destination field 'my_new_field' in the lookup table 'my_kvstore'..

still, with this query :

index=my_index | lookup local=true my_kvstore... 

I can retrieve my new field...



0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...