Is it possible to have a KV Store time-based looku...

TiagoMatos · ‎06-01-2016

Hi,

I have a kvstore defined based on a collection

collections.conf

[app2]

transforms.conf

[business_id2]
collection = app2
external_type = kvstore
fields_list = _key, LAST_UPD, MY_TIME, PROPERTY, ROW_ID, TYPE, VALUE
max_matches = 1000
min_matches = 0
min_offset_secs = 0
time_field = MY_TIME

I also have another lookup table that has the exact same results BUT IS NOT A KVSTORE (it is file-based):

[Business_ID]
filename = Business_ID.csv
max_matches = 1000
min_matches = 0
min_offset_secs = 0
time_field = MY_TIME
time_format = %Y-%m-%d %H:%M:%S

When doing something like

index=A | lookup business_id2 ROW_ID OUTPUT VALUE

I get no VALUE column.

When doing:

index=A | lookup Business_ID ROW_ID OUTPUT VALUE

I get the VALUE column....

SO it seems a KV Store doesn't have Time Based capability... it it true?

Thanks

kbrown_splunk · ‎06-01-2016

Check this to see if it helps. At least it answers yes to time based kvstore lookups
https://answers.splunk.com/answers/209693/time-based-lookups-and-kvstore.html

TiagoMatos · ‎06-02-2016

Hi,

That issue is the exact same I have, and it appears there is still no answer for that....

Is it possible to have a KV Store time-based lookup?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform