Knowledge Management

How to show the key from an inputlookup command from a KVStore?

splunkrocks2014
Communicator

I defined a key as "key" for a KVStore. How to show the key value from an inputlookup command from a KVStore? Thanks.

elliotproebstel
Champion

The kvstore is using a field called _key to store the key. You can see the values by doing this:

| inputlookup my_kvstore_name
| eval view_key=_key

By default, Splunk is hiding this internal value from you, but you can see it by putting the value into another field.

mhergh
Explorer

| inputlookup my_kvstore_name
| rename _key as view_key

worked as well for me; splunk recommend as a guideline to use rename instead of eval where it is possible.

elliotproebstel
Champion

By the way, I assume that when you say: I defined a key as "key" for a KVStore that you mean you did something like this:

| outputlookup my_kvstore_name key_field="key"

That won't force the kvstore to store its keys in a field named key. It will output a kvstore and copy the values in the existing field named key into a hidden field called _key and use those as the keys.

0 Karma

splunkrocks2014
Communicator

Yes. I defined a custom key field named as "key", but I tried both queries, and the key field is still missing.

| inputlookup my_kvstore_lookup | eval view_key=key

| inputlookup my_kvstore_lookup | eval view_key=_key
0 Karma

elliotproebstel
Champion

Hmm, well I found this doc:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZH

It says:

The key ID field
By default, each KV Store record has a unique key ID, which is stored in the internal "_key" field. When you use outputlookup to write to the KV Store, a key ID is autogenerated if you don't specify one explicitly. If you want to modify a specific record, you need to provide its key ID.
To view the key ID field in lookups, add "_key" to the fields_list in the lookup definition.

So you might need to edit transforms.conf and add _key to the fields_list.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...