Splunk Search

How to get time-based lookups working with KV Store?

Contributor

Have time-based lookups working well with CSV file. When I try to get it working with KV Store, I CANNOT get it to work. Have been trying various solutions for many many hours.

Works (s_uname and ftime in the table):

index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info_file UID output ftime s_uname | table _time UID s_uname ftime

Fails (s_uname and ftime NOT in the table):

index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info UID output ftime s_uname | table _time UID s_uname ftime

transforms.conf:

[system_info_file]
filename = system_info_file.csv
time_field = ftime
time_format = %F %T

[system_info]
external_type = kvstore
collection = system_info
fields_list = _time,UID,etime,ftime,s_bband,s_dname,s_hardw,s_man,s_mod,s_osver,s_uname
time_field = ftime
time_format = %F %T

collections.conf:

[system_info]
enforceTypes=true
field._time=time
field.UID=string
field.etime=number
field.ftime=string
field.s_bband=string
field.s_dname=string
field.s_hardw=string
field.s_man=string
field.s_mod=string
field.s_osver=string
field.s_uname=string
Tags (3)
1 Solution

Contributor

Got it working changing the time field to use epoch time.

time_field = etime
time_format = %s

View solution in original post

Contributor

Got it working changing the time field to use epoch time.

time_field = etime
time_format = %s

View solution in original post

Explorer

I have had the issue. It works for me. Be very careful to make etime a number in the collections.conf

field.etime=number => CORRECT
field.etime=string => INCORRECT

Personally, I used the REST API to fill in the KV Store and my JSON for the etime field is:
{
...
"etime": 1531418188, ==> a number !!! "1531418188" would be KO, try it for yourself
...
}

Cheers,
Fab

SplunkTrust
SplunkTrust

How did you store the data to KV Store ? Exporting from csv or manually inserting?

0 Karma

Contributor

Using search with outputlookup.

0 Karma