I am trying to correlate a event with a kvstore lookup, but I don't have a common key besides the username. So I want the closest matching value from the kvstore.
In SQL it looks like this:
http://sqlfiddle.com/#!9/0d563/1/0
In splunk the 'events' table would be my index and and the 'hello' would be my kvstore collection.
How can I make the equivalent query in Splunk?
A learned the answer myself.
Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.
The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message
A learned the answer myself.
Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.
The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message