Splunk Search

Is it possible to have a KV Store time-based lookup?

TiagoMatos
Path Finder

Hi,

I have a kvstore defined based on a collection

collections.conf

[app2]

transforms.conf

[business_id2]
collection = app2
external_type = kvstore
fields_list = _key, LAST_UPD, MY_TIME, PROPERTY, ROW_ID, TYPE, VALUE
max_matches = 1000
min_matches = 0
min_offset_secs = 0
time_field = MY_TIME

I also have another lookup table that has the exact same results BUT IS NOT A KVSTORE (it is file-based):

[Business_ID]
filename = Business_ID.csv
max_matches = 1000
min_matches = 0
min_offset_secs = 0
time_field = MY_TIME
time_format = %Y-%m-%d %H:%M:%S

When doing something like

index=A | lookup business_id2 ROW_ID OUTPUT VALUE 

I get no VALUE column.

When doing:

index=A | lookup Business_ID ROW_ID OUTPUT VALUE 

I get the VALUE column....

SO it seems a KV Store doesn't have Time Based capability... it it true?

Thanks

Tags (3)

kbrown_splunk
Splunk Employee
Splunk Employee

Check this to see if it helps. At least it answers yes to time based kvstore lookups
https://answers.splunk.com/answers/209693/time-based-lookups-and-kvstore.html

0 Karma

TiagoMatos
Path Finder

Hi,

That issue is the exact same I have, and it appears there is still no answer for that....

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>