Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to have a KV Store time-based lookup?

TiagoMatos
Path Finder
‎06-01-2016 07:50 AM

Hi,

I have a kvstore defined based on a collection

collections.conf

[app2]

transforms.conf

[business_id2]
collection = app2
external_type = kvstore
fields_list = _key, LAST_UPD, MY_TIME, PROPERTY, ROW_ID, TYPE, VALUE
max_matches = 1000
min_matches = 0
min_offset_secs = 0
time_field = MY_TIME

I also have another lookup table that has the exact same results BUT IS NOT A KVSTORE (it is file-based):

[Business_ID]
filename = Business_ID.csv
max_matches = 1000
min_matches = 0
min_offset_secs = 0
time_field = MY_TIME
time_format = %Y-%m-%d %H:%M:%S

When doing something like

index=A | lookup business_id2 ROW_ID OUTPUT VALUE

I get no VALUE column.

When doing:

index=A | lookup Business_ID ROW_ID OUTPUT VALUE

I get the VALUE column....

SO it seems a KV Store doesn't have Time Based capability... it it true?

Thanks

Tags (3)
Reply

kbrown_splunk
Splunk Employee
Splunk Employee
‎06-01-2016 07:56 AM

Check this to see if it helps. At least it answers yes to time based kvstore lookups
https://answers.splunk.com/answers/209693/time-based-lookups-and-kvstore.html

0 Karma
Reply

TiagoMatos
Path Finder
‎06-02-2016 02:38 AM

Hi,

That issue is the exact same I have, and it appears there is still no answer for that....

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...