Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get time-based lookups working with KV ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have time-based lookups working well with CSV file. When I try to get it working with KV Store, I CANNOT get it to work. Have been trying various solutions for many many hours.
Works (s_uname and ftime in the table):
index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info_file UID output ftime s_uname | table _time UID s_uname ftime
Fails (s_uname and ftime NOT in the table):
index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info UID output ftime s_uname | table _time UID s_uname ftime
transforms.conf:
[system_info_file]
filename = system_info_file.csv
time_field = ftime
time_format = %F %T
[system_info]
external_type = kvstore
collection = system_info
fields_list = _time,UID,etime,ftime,s_bband,s_dname,s_hardw,s_man,s_mod,s_osver,s_uname
time_field = ftime
time_format = %F %T
collections.conf:
[system_info]
enforceTypes=true
field._time=time
field.UID=string
field.etime=number
field.ftime=string
field.s_bband=string
field.s_dname=string
field.s_hardw=string
field.s_man=string
field.s_mod=string
field.s_osver=string
field.s_uname=string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it working changing the time field to use epoch time.
time_field = etime
time_format = %s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it working changing the time field to use epoch time.
time_field = etime
time_format = %s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have had the issue. It works for me. Be very careful to make etime a number in the collections.conf
field.etime=number => CORRECT
field.etime=string => INCORRECT
Personally, I used the REST API to fill in the KV Store and my JSON for the etime field is:
{
...
"etime": 1531418188, ==> a number !!! "1531418188" would be KO, try it for yourself
...
}
Cheers,
Fab
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you store the data to KV Store ? Exporting from csv or manually inserting?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using search with outputlookup.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
