Splunk Search

Writing records to KVStore - Strange Behavior



Am attempting to identify the name of the SQL Server and the SQL Agent process name based on a CMDB lookup and storing them into a KVStore.

The results from the SPL itself show the correct results, however when checking the KVStore, its found that only the process name related to the Agent gets stored.

On filtering the results, am able to store the Server process name, but when running without filters only the Agent process name is stored.

SPL last lines -

| inputlookup append=true lookup_host_process_monitoring_list
| dedup process snow_node
| outputlookup lookup_host_process_monitoring_list

Results from execution -

SPL Output.png


Result stored in KVStore -

KVStore Result.png


If the same SPL, I send the output to a CSV, all the results get saved.

Has anyone seen or come across a similar situation? 

Thanks n regards


Labels (1)
0 Karma