Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When I try to perform outputlookup on the kvstore, I get the following error:

sidtalup27
Explorer
‎02-16-2023 09:04 AM

Hello,

I have created a KVstore lookup, when I try to perform outputlookup on the kvstore, I get the following error.

Error in 'outputlookup' command: Could not write to collection 'test1': An error occurred while saving to the KV Store

When I refer to the log file, it gives the following information,

02-16-2023 16:56:51.841 ERROR KVStoreLookup [79866 phase_1] - KV Store output failed with err: The provided query was invalid. (Document may not contain '$' or '.' in keys.) message:
02-16-2023 16:56:51.841 ERROR SearchResultsFiles [79866 phase_1] - An error occurred while saving to the KV Store. Look at search.log for more information.
02-16-2023 16:56:51.905 ERROR outputcsv [79866 phase_1] - An error occurred during outputlookup, managed to write 0 rows
02-16-2023 16:56:51.905 ERROR outputcsv [79866 phase_1] - Error in 'outputlookup' command: Could not write to collection 'test1': An error occurred while saving to the KV Store. Look at search.log for more information..

Can you please advise on this.
Thanks in advance.

Siddarth

0 Karma
Reply

sidtalup27
Explorer
‎02-20-2023 04:48 AM

@PickleRick , there is no such data.

Below is the data and respective fields that will be written to the lookup.

sidtalup27_0-1676897147461.png

Below the definition of the KVstore.

sidtalup27_1-1676897254376.png

@PaulPanther , yes, the KV store does exist.

 

--
Thanks,
Siddarth

 

 

0 Karma
Reply

PaulPanther
Builder
‎02-20-2023 07:55 AM

@sidtalup27 The table contains the field key without underscore but your lookup definition only contains the internal key field _key. I assume that your collection looks similiar. If yes please define the field in your collections.conf and in your transforms.conf.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-20-2023 04:17 AM

Your error says:

"Document may not contain '$' or '.' in keys."

Do any of the result fields that you want to save into the kvstore contain $ or . in the field name?

0 Karma
Reply

PaulPanther
Builder
‎02-20-2023 12:50 AM

@sidtalup27 The KV store collection "test1" already exists?  How looks the output of your search query?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...