Have time-based lookups working well with CSV file. When I try to get it working with KV Store, I CANNOT get it to work. Have been trying various solutions for many many hours.
Works (s_uname and ftime in the table):
index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info_file UID output ftime s_uname | table _time UID s_uname ftime
Fails (s_uname and ftime NOT in the table):
index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info UID output ftime s_uname | table _time UID s_uname ftime
transforms.conf:
[system_info_file]
filename = system_info_file.csv
time_field = ftime
time_format = %F %T
[system_info]
external_type = kvstore
collection = system_info
fields_list = _time,UID,etime,ftime,s_bband,s_dname,s_hardw,s_man,s_mod,s_osver,s_uname
time_field = ftime
time_format = %F %T
collections.conf:
[system_info]
enforceTypes=true
field._time=time
field.UID=string
field.etime=number
field.ftime=string
field.s_bband=string
field.s_dname=string
field.s_hardw=string
field.s_man=string
field.s_mod=string
field.s_osver=string
field.s_uname=string
Got it working changing the time field to use epoch time.
time_field = etime
time_format = %s
Got it working changing the time field to use epoch time.
time_field = etime
time_format = %s
I have had the issue. It works for me. Be very careful to make etime a number in the collections.conf
field.etime=number => CORRECT
field.etime=string => INCORRECT
Personally, I used the REST API to fill in the KV Store and my JSON for the etime field is:
{
...
"etime": 1531418188, ==> a number !!! "1531418188" would be KO, try it for yourself
...
}
Cheers,
Fab
How did you store the data to KV Store ? Exporting from csv or manually inserting?
Using search with outputlookup.