Knowledge Management

KVStore Troubleshooting

Path Finder


Seeing some very strange behaviour when writing to the KVStore, the following works:

            var record = {"projectId": projID,"projName": projName};
            {"Content-Type": "application/json"},

When I change:

var record = {"projID": projID,"projName": projName};

to be:

var record = {"projectId": projID,"projName": projName};

The write appears to work however an inputlookup shows only the projName field. If I do an inputlookup | fields projName,projectId the projectId field is blank.

Started splunk in debug mode and the mongo log doesnt show anything, the splunkd.log shows that it appears to write the correct data:

07-27-2017 11:01:55.412 +0100 DEBUG CollectionHandler - DISPATCH::DATA method='POST' collection='topas4' key=''
07-27-2017 11:01:55.413 +0100 DEBUG AuthenticationManagerSplunk - Getting info for user: admin
07-27-2017 11:01:55.413 +0100 DEBUG PropertiesMapConfig - Pattern 'topas4' matches with priority 100
07-27-2017 11:01:55.413 +0100 DEBUG KVStorageProvider - Insert data: {"projectId":"262","projName":"Account Management"} -- { "projectId" : "262", "projName" : "Account Management" }
07-27-2017 11:01:55.413 +0100 DEBUG MongoClient - Pop new connection with type 8
07-27-2017 11:01:55.413 +0100 DEBUG MongoClient - Auto -> ReplicaSet
07-27-2017 11:01:55.414 +0100 ERROR mongodlog - 2017-07-27T10:01:55.414Z I NETWORK [initandlisten] connection accepted from #22 (14 connections now open)
07-27-2017 11:01:55.439 +0100 ERROR mongodlog - 2017-07-27T10:01:55.439Z I ACCESS [conn22] Successfully authenticated as principal __system on local
07-27-2017 11:01:55.440 +0100 DEBUG MongoClient - Pushing back connection with type 4

Makes me think my inputlookup is incorrect however I thought that:

| inputlookup topas4_lookup

Would show the entire contents?

Even if i do:

| inputlookup topas4_lookup | eval KeyID = _key | fields KeyID,projName,projectId

I see the key but the the projectId field is still blank.

Any ideas on what might be causing this or how to further troubleshoot it would do wonders for my sanity.



0 Karma
1 Solution

Path Finder

fields_list in transforms.conf dammit! totally my bad...

View solution in original post

0 Karma

Path Finder

fields_list in transforms.conf dammit! totally my bad...

0 Karma

Path Finder

So it appears that using (lowercase d in projId):

var record = {"projId": projID,"projName": projName};

also fails.

Changing back to projID works!

Is someone going to tell me I wasted my entire morning on this because for some bizarre reason the key name MUST be identical to the variable name being passed and any failures surrounding this will be logged absolutely nowhere?

What madness is this? I must be doing something wrong here surely...

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...