When we talk about automatic lookups, we're referencing the capability described here - http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Edit_existing_automatic_lookups_or_configure_a_new_lookup_to_run_automatically This automatic lookup capability is not supported by KV store. Regarding the question around the "restricting lookups to running on the search head tier" - This is intended to call out the fact that any KV store lookup will need to occur on a Search head; i.e all SPL commands on a search string occuring after a KV store lookup will need to be run on the search head. ... View more

What version of Excel and PowerPivot are you using? Are you able to retrieve data just using Excel alone? ... View more

A couple of things to check - 1. Does this user role have access to the new indices that you've setup? 2. Have you modified eventtypes.conf stanzas to include the relevant indices? For example - [windows_performance] search = index=perfmon (sourcetype="powershell" OR sourcetype="Perfmon:" OR sourcetype="WMI:Perfmon") 3. You can specify more than one index to target in the searches. ... View more

The performance monitoring dashboard not showing any data might be linked to the fact that lookups needed for the dashboard to function properly did not get created in time. Could you send the contents of the following files currently- $SPLUNK_HOME\etc\apps\windows\local\inputs.conf $SPLUNK_HOME\etc\apps\windows\default\inputs.conf ... View more