Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is kvstore update failing with code 115?

wpreston
Motivator
‎01-19-2016 06:42 AM

I've got a kvstore lookup who's data is updated every day from a scheduled search. I built it using the ideas that @dwaddle and @starcher presented at .conf2015 (presentation here if anyone is interested). This worked great for a few months, but now I'm getting an error message whenever the updating search runs. Neither the updating search nor structure of the data have changed so I don't think it has anything to do with the search itself. When the updating search runs, it returns a table of data but gets the following message when it tries to write to the kvstore:

"Could not append to collection 'CollectionOfIncidents': an error occurred while saving to the collection.  See search.log for more details."

When I look in search.log there is one more message:

ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''

Any ideas as to what this error code means or what could be causing the update to fail?

0 Karma
Reply

claudio_manig
Communicator
‎10-19-2016 02:50 AM

Same here, did nromito's polst helped you out to fix it?

0 Karma
Reply

briancronrath
Contributor
‎08-02-2018 03:54 PM

I know this post is old, but in case the answer here doesn't fix it for folks, I recently resolved this issue myself by removing an fields with a "." character in the name. Looks like it was breaking the ability to append.

0 Karma
Reply

nromito_splunk
Splunk Employee
Splunk Employee
‎03-16-2016 09:27 AM

The reason this message is displayed is because you're trying to write a multi-valued _key field to your KV Store.
For example:
I create a KV Store with the following values:
'{"name":"indexer1","id":123,"address":{"street":"250 Brannan","city":"San Francisco"}}'
'{"name":"indexer1","id":124,"address":{"street":"250 Brannan","city":"San Francisco"}}'
I then write a search like this:

index = _internal | head 1 | eval name = "indexer1"| lookup test_lookup name OUTPUT _key | outputlookup test_lookup append=true

This means my one event from the search on _internal will match both of the KV Store entries, and we create a new field=_key for that event due to the OUTPUT of the lookup. Since we matched two entries in the KV Store, the _key field on the event will evaluate to something like "_key" : [ "56e30ef4af0001b2aa352761", "56e30f0baf0001b2aa352762" ]. Since Splunk's KV Store only allows a single, unique value for _key, the search fails with the cryptic message ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''

tl;dr revise your search query, KV Store collection, or transforms.conf (max_matches=1) to ensure that you will not match an event to multiple KV Store entries when trying to write to the _key field.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2016 07:33 AM

What platform?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wpreston
Motivator
‎01-19-2016 08:20 AM

Sorry, should have included that!

Splunk version: 6.3
OS: Windows 2008 R2

0 Karma
Reply

robert_miller
Path Finder
‎02-01-2016 02:26 PM

We are also starting to see this same error. Hopefully someone has a solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...