I have a KV store collection that is populated. I have a lookup definition pointing to the KV store. If you use the kvstore lookup definition in a search, I get matching results and everything works as expected.
index=* source=jello | lookup kvstore_lookup ip as srcip outputnew city as src_city
However, if I move that into an automatic lookup it does not work.
Before using the kvstore I was using a csv lookup and the automatic lookups where working fine. The csv grew to 122mb so I populated a kvstore with the below.
| inputlookup old_csv_lookup | outputlookup kvstore_lookup
Permissions on the automatic lookups are global, everyone read, admin write. I can see in the search log that its calling the automatic lookup "Will use Lookup: Lookup-......" but the the fields that are supposed to be added in from the lookup dont populate.
Also, I am using matchtype=CIDR for this lookup definition.
Any ideas why the automatic lookup is not working now that its using the kvstore?
For anyone tracking this. If you migrate to wiredTiger you will loose the metrics for "Accelerations" and "Accelerated Size (MB)". If you want to fix this you can add these regexes to the existing search in the DMC-->"KV Store Instance"-->"Collection Metrics" panel
| rex field=data "nindexes\"\:(?<nindexes>\d+)\," | rex field=data "totalIndexeSize\"\:(?<totalIndexSize>\d+)\,"
found it for reference :
Enable replication for a KV store collection
In Splunk Enterprise, KV Store collections are not bundle-replicated to indexers by default, and lookups run locally on the search head rather than on remote peers. When you enable replication for a KV Store collection, you can run the lookups on your indexers which let you use automatic lookups with your KV Store collections.
To enable replication for a KV Store collection and allow lookups against that collection to be automatic:
That's interesting. Not sure how I haven't come across that document before. We must have some other issues on this particular instance because replicating the KV store to the indexers did not help. Also, when you look at the kvstore pages in the DMC it doesn't show the accelerated fields status either.
Thanks for the info!
I have run into exactly this issue and was going to post on it.
symptoms: like above, exact replica configuration using csv works just fine.
executing the lookup piped in spl works just fine
defining the same lookup on a data model works just fine.
just the automatic lookup doesnt, I have tried both on sourcetype and source