Splunk Search

After migrating CSV lookups to kvstore, why does the lookup command no longer output results in a search?

spyme72
Path Finder

i am currently migrating all the csv to kvstore.
when i do an inputlookup or outputlookup, it works perfectly fine and returns the results.
but when i use the lookup in my search it doesn't do the lookup. The same search works fine when i use .csv.

This search works

index=perfmon counter="% Processor Time" | lookup windowsperfmon.csv counter OUTPUT playbook | table counter playbook

counter playbook
% Processor Time Page Windows Server Support
% Processor Time Page Windows Server Support
% Processor Time Page Windows Server Support

This doesn't work

index=perfmon counter="% Processor Time" | lookup windowsperfmon counter OUTPUT playbook | table counter playbook

counter playbook
% Processor Time

% Processor Time

% Processor Time

% Processor Time

collections.conf

[windowsperfmon]
enforceTypes = true
field.xxx = string
field.yyy = string
field.zzz = string
field.status = string
field.email = string
field.object = string
field.counter = string
field.instance = string
field.trigger = string
field.threshold = number
field.severity = string
field.time_freq = string
field.occurrence = number
field.playbook = string

Transforms.conf

[windowsperfmon]
external_type = kvstore
collection = windowsperfmon
fields_list = _key,xxx,yyy,zzz,status,email,object,counter,instance,trigger,threshold,severity,time_freq,occurrence,playbook
case_sensitive_match = false
1 Solution

jacobwilkins
Communicator

Ha! I know this one!

You have case_sensitive_match = false and there is a bug in splunk, SPL-102111, regarding that setting and kvstore lookups.

FWIW, the kvstore is perfect for "lookups" that you use in the context of inputlookup only, things like populating searches for dropdowns, and maybe seeds for subsearches.

Moving your regular lookups to the kvstore could potentially destroy your performance, if you are distributing to a significant number of peers. CSV lookups are cool because they distribute (via the search bundle) out to each peer, so the lookups are performed in a distributed manner. The kvstore only lives on your SH, so it is like setting "local=true" on your lookup command. Bad mojo for bigger deployments.

View solution in original post

jacobwilkins
Communicator

Ha! I know this one!

You have case_sensitive_match = false and there is a bug in splunk, SPL-102111, regarding that setting and kvstore lookups.

FWIW, the kvstore is perfect for "lookups" that you use in the context of inputlookup only, things like populating searches for dropdowns, and maybe seeds for subsearches.

Moving your regular lookups to the kvstore could potentially destroy your performance, if you are distributing to a significant number of peers. CSV lookups are cool because they distribute (via the search bundle) out to each peer, so the lookups are performed in a distributed manner. The kvstore only lives on your SH, so it is like setting "local=true" on your lookup command. Bad mojo for bigger deployments.

spyme72
Path Finder

thanks a lot.. removing case_sensitive_match worked..

dgladkikh_splun
Splunk Employee
Splunk Employee

Could you share some data examples in csv file, also how you got this data in KVStore and few lines from index?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...