Solved: Subselect latest value from lookup, releative to e...

lassel · ‎04-10-2015

I am trying to correlate a event with a kvstore lookup, but I don't have a common key besides the username. So I want the closest matching value from the kvstore.

In SQL it looks like this:
http://sqlfiddle.com/#!9/0d563/1/0

In splunk the 'events' table would be my index and and the 'hello' would be my kvstore collection.

How can I make the equivalent query in Splunk?

lassel · ‎04-10-2015

A learned the answer myself.

Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.

The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message

View solution in original post

lassel · ‎04-10-2015

A learned the answer myself.

Splunk will search backwards by default, so by using the lookup command with a kvstore, you automatically get the closest matching event.

The equivalent splunk query to above would be:
index=events | lookup user by user OUTPUT message as message

Subselect latest value from lookup, releative to event

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms