Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get time-based lookups working with KV Store?

simpkins1958
Contributor
‎01-08-2016 02:05 PM

Have time-based lookups working well with CSV file. When I try to get it working with KV Store, I CANNOT get it to work. Have been trying various solutions for many many hours.

Works (s_uname and ftime in the table):

index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info_file UID output ftime s_uname | table _time UID s_uname ftime

Fails (s_uname and ftime NOT in the table):

index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info UID output ftime s_uname | table _time UID s_uname ftime

transforms.conf:

[system_info_file]
filename = system_info_file.csv
time_field = ftime
time_format = %F %T

[system_info]
external_type = kvstore
collection = system_info
fields_list = _time,UID,etime,ftime,s_bband,s_dname,s_hardw,s_man,s_mod,s_osver,s_uname
time_field = ftime
time_format = %F %T

collections.conf:

[system_info]
enforceTypes=true
field._time=time
field.UID=string
field.etime=number
field.ftime=string
field.s_bband=string
field.s_dname=string
field.s_hardw=string
field.s_man=string
field.s_mod=string
field.s_osver=string
field.s_uname=string
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

simpkins1958
Contributor
‎01-11-2016 08:52 AM

Got it working changing the time field to use epoch time.

time_field = etime
time_format = %s

View solution in original post

Reply
Solved! Jump to solution
Solution

simpkins1958
Contributor
‎01-11-2016 08:52 AM

Got it working changing the time field to use epoch time.

time_field = etime
time_format = %s

Reply
Solved! Jump to solution

fbourel
Explorer
‎07-12-2018 10:57 AM

I have had the issue. It works for me. Be very careful to make etime a number in the collections.conf

field.etime=number => CORRECT
field.etime=string => INCORRECT

Personally, I used the REST API to fill in the KV Store and my JSON for the etime field is:
{
...
"etime": 1531418188, ==> a number !!! "1531418188" would be KO, try it for yourself
...
}

Cheers,
Fab

Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎02-02-2021 03:22 PM

F'ing awesome, thanks for that "number" thing 😄

@marycordova
Tags (1)
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-08-2016 09:53 PM

How did you store the data to KV Store ? Exporting from csv or manually inserting?

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

simpkins1958
Contributor
‎01-11-2016 08:51 AM

Using search with outputlookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...