All Apps and Add-ons

Why am I unable to edit my kvstore lookup with the Lookup File Editor App for Splunk Enterprise?

adityapavan18
Contributor

Hi

I have created a kvstore collection as below in collections.conf

[samplecollection]
replicate = true

Then I created a lookup based on the above kvstore collection in transforms.conf

[samplekv_lookup]
collection = samplecollection
external_type = kvstore
fields_list = _key,field1,field2

Now I ran the search below to load data onto my kvstore lookup

|inputlookup old_data,csv | table field1,field2 | outputlookup samplekv_lookup

When I run | inputlookup samplekv_lookup | eval Key = _key | table _key,field1,field2, I see the data with columns key, field1 & field2

Now I want to edit the data in this kvstore. I tried using the Lookup File Editor App for Splunk Enterprise. When opened in the list of lookups, I found "samplecollection" instead of "samplekv_lookup" (I was hoping to see this in the list).

Once I open "samplecollection" to edit in the Lookup Editor app, it only shows me _key column and it doesn't show me the field1, field2 columns which I want to edit.

Is my understanding correct that tje Lookup Editor app can be used to edit kvstore data? What am I doing wrong?

Any help is much appreciated.

0 Karma

LukeMurphey
Champion

I'm looking into this. I'll be tracking the work under http://lukemurphey.net/issues/1360 for details. I suspect this has something to do with ability in KV store to have rows on a per-user basis.

Update 1:
I figured out what is going on. outputlookup stores and inputlookup retrieves rows only for the nobody user whereas the KV editor uses the user that owns the lookup.

Update 2:
Version 2.2 of the lookup editor allows you to select the user context in which to view the rows. This will allow you to select "nobody" which includes the rows that outputlookup stores and inputlookup works with.

0 Karma

alvaro_garcia
Explorer

Hello,
I have the same problem with the lasts version (2.3.1) of lookup editor and with Splunk 6.4.1
I set the owner to “Nobody” but when I tried to opened, I only see "_key" column

0 Karma

jsilverbears
Path Finder

I have actually found the issue here. Your problem is your collection.conf:

[samplecollection]
replicate = true

You don't specifically state the columns in your collection.

I just got this app and I immediately looked at my current setup through it. Every time I am missing a column it's a column that I don't enforce a type with in collections.conf.

The _key column seems to just be a given.

gfuente
Motivator

Hello, You are right, adding the fields to the collections.conf solves the issue. Thanks!

0 Karma

LukeMurphey
Champion

I'm looking into this. I have a ticket open with my investigation here: http://lukemurphey.net/issues/1360

0 Karma

LukeMurphey
Champion

Question: may I assume that when you edited the lookup from search using outputlookup that you did so from a user account other than admin? I think I have been able to reproduce the issue but I need to make sure it is the same issue.

0 Karma

adityapavan18
Contributor

Hi Luke,

I ran all commands using the admin user itself.

0 Karma

jmallorquin
Builder

Hi,

Review the version that you are using? I had the same problem time ago.

Hope i help you

0 Karma

adityapavan18
Contributor

I am using the latest version 2.1.2 for app & splunk is on 6.3.0
Is it working for you now? which version are you using?

0 Karma

jmallorquin
Builder

Hi,

I am using 2.1.1 version and it works.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...