Solved: Re: Subselect latest value from lookup, releative ...

lassel · ‎04-10-2015

I am trying to correlate a event with a kvstore lookup, but I don't have a common key besides the username. So I want the closest matching value from the kvstore.

In SQL it looks like this:
http://sqlfiddle.com/#!9/0d563/1/0

In splunk the 'events' table would be my index and and the 'hello' would be my kvstore collection.

How can I make the equivalent query in Splunk?

lassel · ‎04-10-2015

A learned the answer myself.

Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.

The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message

View solution in original post

lassel · ‎04-10-2015

A learned the answer myself.

Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.

The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message

Subselect latest value from lookup, releative to event

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

Subselect latest value from lookup, releative to event

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI