Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Outputlookup to a kvstore does not write results

alexc
New Member
‎12-06-2023 04:40 PM

Hello all! This will be a doozy, so get ready. We are running a search with tstats generated results,  from various troubleshooting we simplified it to the following

 

 

| tstats count  by host
| rename host as hostname
| outputlookup some_kvstore

 

 

The config of the kvstore is as follows:

 

 

# collections.conf
[some_kvstore]
field.hostname = string

 

 

 

 

# transforms.conf
[some_kvstore]
collection = some_kvstore
external_type = kvstore
fields_list = hostname

 

 

When you run the first 2 lines of the SPL, you will get quite a few results, as it queries the internal db for hosts and retrieves a count of their logs. After you add the outputlookup command, it removes all your results and will not add them to the kvstore. 

As my coworker found, there is a way to write the results to the kvstore after all, however the SPL for that is quite cursed, as it involves joining the original search back in, but the new results will be written to the kvstore.

 

 

| tstats count by host 
| rename host as hostname
| table hostname
| join hostname [ tstats count by host | rename host as hostname] 
| outputlookup some_kvstore

 

 

 

As far as I aware, 9.1.2, 9.0.6, and latest verisions of cloud have this issue even as fresh installs of Splunk, however it does work on an 8.2.1 and 7.3.3 systems (dont ask). The Splunk user owns everything in the Splunkdir so there is no problem with writing to any files, the kvstore permissions are global, and any user can read or write to it.

So after several hours of troubleshooting, we are stumped here and not sure where we should look next. Changing to a csv is unfortunately not an option.

 

Things we have tried so far, that i can remember:

  • Completely fresh installs of Splunk
  • Cleaning the kvstore via `splunk clean kvstore -local`
  • Outputting to a csv (works)
  • Using makeresults to create the fields manually and add to the kvstore (works)
  • Using the noop command to disable all search optimization 
  • Writing to the kvstore via API (works)
  • Reading data from the kvstore via inputlookup (works)
  • Modifying an entry in the kvstore via the lookup editor app (works)
  • Testing with all search modes (fast, smart, verbose)
Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top