Splunk Search

Why am I getting error "The lookup table 'XXX' is invalid" trying to initially populate a kvstore table via outputlookup?

malat_UoM
Explorer

First attempt at creating a kvstore lookup to be used by the Search app - initially, at least; I've followed the documentation and defined,

/etc/apps/search/local/collections.conf

[CollectionStanzaName]

/etc/apps/search/local/transforms.conf

[CollectionStanzaName_KVStoreName]
external_type = kvstore
collection = CollectionStanzaName
fields_list = _key, Field1, Field2, Field3, ..., FieldN

Search heads restarted, and subsequent attempts to populate the kvstore using:

<moderately complicated search utilizing search-time transforms> | outputlookup append=t key_field=Unique_Field_Returned_By_Search CollectionStanzaName_KVStoreName

results in error:

Error in 'outputlookup' command: Option 'key_field=Unique_Field_Returned_By_Search' is invalid

If I try to simplify things and run,

    <moderately complicated search utilising search-time transforms> | outputlookup CollectionStanzaName_KVStoreName

I get:

Error in 'outputlookup' command: The lookup table 'CollectionStanzaName_KVStoreName' is invalid.

and searching for these errors draws a blank, so I'm not sure what else to try.

0 Karma
1 Solution

dgladkikh_splun
Splunk Employee
Splunk Employee

Ok, KVStore lookups available only starting from version 6.2

View solution in original post

dgladkikh_splun
Splunk Employee
Splunk Employee

Ok, KVStore lookups available only starting from version 6.2

malat_UoM
Explorer

Well, that'll teach us not to upgrade... sorry for wasting your time with such an easy problem...

0 Karma

dgladkikh_splun
Splunk Employee
Splunk Employee

Which Splunk version are you using?

0 Karma

malat_UoM
Explorer

Splunk 6.1 - running a search head pool we haven't quite got around to converting into a cluster, so no upgrade to 6.2 yet.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...