topic Re: Return value from separate fields in Splunk Search

Return value from separate fields

kengilmour — Wed, 07 Aug 2013 09:59:00 GMT

Hello,

I'm looking for a solution to get data from two CSV files that will be used for a one-off search.

I have the following data:

CSV 1

displayName=Full User's Name (e.g. "John Doe")
ManagerRACF= The Manager's User ID (e.g. Jdoe002)
sAMAccountName=User's User ID (e.g. Jdoe001)

CSV 2

First_Name
Last_Name
Token_Nr

What I want to do is get combine CSV2 with CSV1 (easy) and then find the person's manager's full name with nothing more than the ManagerRACF field (unknown).

For the first part:

source=CSV1.csv
|join displayName[search index="main" source="CSV2.csv" | eval displayName=First_Name." ".Last_Name |dedup displayName| fields + displayName]
| table displayName, ManagerRACF, ManagerName, Token_Nr

This will join the two files and show the user's full name, the Manager's UserID and the user's Token number.

Now how do i get ManagerName to translate into the full name of the person's manager from CSV 1 based on the data in the ManagerRACF column? Basically what this means is, I need to find data in ManagerRACF (Jdoe002) search the sAMAccountName column for that value, and then return the results from displayName on that row into the ManagerName column.

Thanks!

Ken

Re: Return value from separate fields

kml_uvce — Wed, 07 Aug 2013 10:55:31 GMT

can you explain more ...

Re: Return value from separate fields

kengilmour — Wed, 07 Aug 2013 11:12:58 GMT

Imagine there is a table with two rows:

Headers

displayName, sAMAccountName, ManagerRACF, Token_Nr

Row 1
John Doe, JDoe001, JDoe002, 000000001

Row 2
Jane Doe, JDoe002, JDoe003, 000000002

Splunk should return the results as follows:

displayName, ManagerRACF, ManagerName, Token_Nr
John Doe, JDoe002, Jane Doe, 000000001

The displayName value from row 2 populates "ManagerName" value field in splunk, based on the data in the "ManagerRACF" value field from row 1.

Thanks!

Ken

Re: Return value from separate fields

lguinn2 — Wed, 07 Aug 2013 21:41:14 GMT

I see that you indexed this data into Splunk, but honestly this doesn't seem like the best way to approach the problem. I think that CSV 1 (can we call it "AccountInfo") should be a lookup table, not indexed into Splunk.

If you load the CSV file into Splunk and create a lookup called AccountLookup (lookup tutorial here and manual here), then you can do this

source=csv2
| eval displayName = First_Name + " " + Last_Name
| lookup AccountLookup displayName OUTPUT ManagerRACF as inRACF
| lookup AccountLookup sAMAccountName as inRACF OUTPUT displayName as ManagerName

That should do it!

Re: Return value from separate fields

kristian_kolb — Thu, 08 Aug 2013 10:34:13 GMT

Yep, along my line of thinking as well. Actually both of the CSV's are pretty good candidates for lookup tables, and in my opinion CSV2 is preferable, as you tend to change managers more often than you change your name 🙂

Re: Return value from separate fields

lguinn2 — Thu, 08 Aug 2013 18:11:57 GMT

I agree, but I thought maybe the token assigned to the name changed regularly, and I certainily didn't want to get into time-based lookups as a starting point!

Re: Return value from separate fields

kristian_kolb — Fri, 09 Aug 2013 08:29:54 GMT

Aah, you might be right, I actually read "token" as "userID"

Re: Return value from separate fields

lguinn2 — Fri, 09 Aug 2013 17:21:10 GMT

I guess all data is "static" - it's just a matter of the time frame! And illustrates the importance of actually understanding the data before making these decisions...