Splunk Search

How to get time-based lookups working with KV Store?

Contributor

Have time-based lookups working well with CSV file. When I try to get it working with KV Store, I CANNOT get it to work. Have been trying various solutions for many many hours.

Works (s_uname and ftime in the table):

index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info_file UID output ftime s_uname | table _time UID s_uname ftime

Fails (s_uname and ftime NOT in the table):

index=fastpathprototype05 sourcetype=proto05wwanfrequent | lookup system_info UID output ftime s_uname | table _time UID s_uname ftime

transforms.conf:

[system_info_file]
filename = system_info_file.csv
time_field = ftime
time_format = %F %T

[system_info]
external_type = kvstore
collection = system_info
fields_list = _time,UID,etime,ftime,s_bband,s_dname,s_hardw,s_man,s_mod,s_osver,s_uname
time_field = ftime
time_format = %F %T

collections.conf:

[system_info]
enforceTypes=true
field._time=time
field.UID=string
field.etime=number
field.ftime=string
field.s_bband=string
field.s_dname=string
field.s_hardw=string
field.s_man=string
field.s_mod=string
field.s_osver=string
field.s_uname=string
Tags (3)
1 Solution

Contributor

Got it working changing the time field to use epoch time.

time_field = etime
time_format = %s

View solution in original post

Contributor

Got it working changing the time field to use epoch time.

time_field = etime
time_format = %s

View solution in original post

Explorer

I have had the issue. It works for me. Be very careful to make etime a number in the collections.conf

field.etime=number => CORRECT
field.etime=string => INCORRECT

Personally, I used the REST API to fill in the KV Store and my JSON for the etime field is:
{
...
"etime": 1531418188, ==> a number !!! "1531418188" would be KO, try it for yourself
...
}

Cheers,
Fab

SplunkTrust
SplunkTrust

How did you store the data to KV Store ? Exporting from csv or manually inserting?

0 Karma

Contributor

Using search with outputlookup.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!