I've got a kvstore lookup who's data is updated every day from a scheduled search. I built it using the ideas that @dwaddle and @starcher presented at .conf2015 ([presentation here][1] if anyone is interested). This worked great for a few months, but now I'm getting an error message whenever the updating search runs. Neither the updating search nor structure of the data have changed so I don't think it has anything to do with the search itself. When the updating search runs, it returns a table of data but gets the following message when it tries to write to the kvstore:
"Could not append to collection 'CollectionOfIncidents': an error occurred while saving to the collection. See search.log for more details."
When I look in search.log there is one more message:
ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message ''
Any ideas as to what this error code means or what could be causing the update to fail?
[1]: https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf
↧