Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to match event field to KV Store key

packland
Path Finder
‎04-02-2020 10:55 PM

I have a kvstore collection with two columns: "_key", and "last_online". The idea is that a search to update the values, manually specifying the key, is scheduled and only needs to run with a time range as long as the schedule interval. In general this is so that other searches can access this information quickly via a lookup rather than running over an extended time range to find out when the device was last online.

I have the searches working properly but using a workaround that I'm trying to avoid. When I use the lookup, I'm unable to match an event field with the key field like so:

| makeresults count=1
| eval id = 1234
| lookup last_online_lookup _key as id OUTPUTNEW

One of the possible workarounds I've found is duplicating the key field in the collection so that it is accessible under another name. But the one I've opted for is changing the search to look like this:

| makeresults count=1
| eval id = 1234
| join type=left id [ | inputlookup last_online_lookup 
                      | eval id = _key ]

This achieves the desired result but I want to know if it's possible to match an event field to the internal _key field directly.

Any ideas?

Thanks.

0 Karma
Reply

starcher
Influencer
‎04-03-2020 05:31 AM

You need to add _key to the field list on the fields section of your lookup transform definition.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...