Re: How to match event field to KV Store key

packland · ‎04-02-2020

I have a kvstore collection with two columns: "_key", and "last_online". The idea is that a search to update the values, manually specifying the key, is scheduled and only needs to run with a time range as long as the schedule interval. In general this is so that other searches can access this information quickly via a lookup rather than running over an extended time range to find out when the device was last online.

I have the searches working properly but using a workaround that I'm trying to avoid. When I use the lookup, I'm unable to match an event field with the key field like so:

| makeresults count=1
| eval id = 1234
| lookup last_online_lookup _key as id OUTPUTNEW

One of the possible workarounds I've found is duplicating the key field in the collection so that it is accessible under another name. But the one I've opted for is changing the search to look like this:

| makeresults count=1
| eval id = 1234
| join type=left id [ | inputlookup last_online_lookup 
                      | eval id = _key ]

This achieves the desired result but I want to know if it's possible to match an event field to the internal _key field directly.

Any ideas?

Thanks.

starcher · ‎04-03-2020

You need to add _key to the field list on the fields section of your lookup transform definition.

How to match event field to KV Store key

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms