Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I "reverse-search" a lookup so the first match from the bottom is returned, or: can I prepend an entry to my lookup?

jeffland
SplunkTrust
SplunkTrust
‎02-19-2020 06:23 AM

Hi,

I need to lookup some values from a lookup with an id, and I have multiple values per id with more coming in from time to time. Entries are typically appended to the bottom of a lookup. The default behavior which uses the first match from the top is not what I need because I'm only interested in the latest entry per id though. It would be nice to be able to perform the lookup from bottom to top, or prepend the entry.

Here's what I came up with so far:

a) I could re-sort the lookup after inserting a new entry, effectively prepending the new entry
b) I could re-write the entire lookup on adding an entry, something like

| eval new lookup entry
| inputlookup append=t lookup
| outputlookup lookup

which would also prepend it
c) I could use max_matches=100000 on my lookup definition and return a multivalue field, then get the last entry with | eval field = mvindex(field, -1), effectively doing the lookup from bottom to top
d) I could furthermore work with a time based lookup, using some date in the past, to reduce the number of matches

Each of these has at least one downside though. a) is ugly: I need to handle the additional step, depending on how I create the entry this is more or less of a hassle. b) raises performance concerns: I'm moving around a potentially large amoung of lookup content. c) is even uglier, because multivalue with its limits and quirks, and d) means I need to know a sensible value for that date.

Any other ideas?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎02-19-2020 06:32 AM

UPDATE: sorry, this answer is incorrect. A kv store stores entries in no particular order, it just happened to be like I assumed below in my scenario. Sorting has to happen on retrieval.

You can also take advantage of the fact that a kv store stores new values in _key-sorted order, meaning that if your kv store looks like

_key id field1
1234 1  foo
1235 2  bar
1236 3  baz

and you do

| makeresults
| eval _key = "1233", id = 1, field1 = "new"
| outputlookup append=t lookup

your kv store will look like this:

_key id field1
1233 1  new
1234 1  foo
1235 2  bar
1236 3  baz

This means your new value is prepended, and a lookup on id returns the new value. Candidates for such a decreasing key might be values such as 2000000000 minus epoch.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...