Splunk Search

Migrate from CSV to KV store

New Member

I am trying to migrate from CSV to KV store following these steps:

  1. Created collection.conf on the host in apps local directory as following:

[KV_collection]
enforceTypes = true
field.fieldname = string
field.fieldname = number
field.fieldname = number
field.fieldname = string
...

  1. Created transform.conf on the host in apps local directory as following:

[KVlookup]
external
type = kvstore
collection = KVcollection
fields
list = fieldname1, fieldname2...

  1. Used following command to migrate from exciting CSV to KV store

| inputlookup lookuptabl.csv | outputlookup KVlookup

But getting error:
Error in 'outputlookup' command: The lookup table 'Permission denied for collection 'KV_collection'' is invalid

Can anyone help me where is the problem exactly?
Do I need any special permission to access the collection?
Also where can I find these collections that are created ?

0 Karma

Path Finder

The file name should be collections.conf instead of collection.conf

0 Karma

Path Finder

The KVStore could be present inside an app and you may be running the search from search app.
The search is not able to reach the kvstore. try running the search from the app where the kvstore is created.

0 Karma