Solved: Re: Subselect latest value from lookup, releative ...

lassel · ‎04-10-2015

I am trying to correlate a event with a kvstore lookup, but I don't have a common key besides the username. So I want the closest matching value from the kvstore.

In SQL it looks like this:
http://sqlfiddle.com/#!9/0d563/1/0

In splunk the 'events' table would be my index and and the 'hello' would be my kvstore collection.

How can I make the equivalent query in Splunk?

lassel · ‎04-10-2015

A learned the answer myself.

Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.

The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message

View solution in original post

lassel · ‎04-10-2015

A learned the answer myself.

Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.

The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message

Subselect latest value from lookup, releative to event

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Subselect latest value from lookup, releative to event

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine