Mapping OOID number to OOID name

splunkman341 · ‎08-21-2015

Hi guys,

I currently have a search set up that searches for the most active OOIDs( Organization ID Folder) with the most number of AOIDS( Associate ID's) uploading documents. It's all gravy currently but I want to include an extra step. Currently, it is displaying a unique OOID number which represents the organization with the actual number of AOIDS. I want to also include the actual OOID name and number while still displaying the AOID count.

For example the way it is set up now,

OOID:12445456665578 AOID: 657

OOID:8966758548348 AOID:7895

What I want:

OOID: Barney's Sub Shop (12445456665578 ) AOID:657

OOID: Merlin's Swords(8966758548348) AOID:7895

In addition to this, I have already setup an lookup table with an automatic look up called "client_ooid_to_name" which has the OOID numbers mapped to an actual OOID name.

The current search that I have ( that is needing the additional mapping explained above):

index=doccloud_main sourcetype=doccloud_catalina NOT "eedocs" | stats dc(AOID) AS AOIDs by OOID|  sort 10 - AOIDs

Thanks in advance for your help

Richfez · ‎08-21-2015

If it is an automatic lookup and set up correctly, it should already work.

If the automatic lookup "client_ooid_to_name" has two columns: say "ooid" and "real_name", then if it's right the field "real_name" should be in your fields somewhere already when you search this data. Check that - if it's there, great. If not, time to check your lookup and the automatic lookup, perhaps by following through this from the docs.

So, if you have "real_name" in your fields, just replace the OOID by "real_name", like so:

index=doccloud_main sourcetype=doccloud_catalina NOT "eedocs" 
| stats dc(AOID) AS AOIDs by real_name
| sort 10 - AOIDs

Richfez · ‎08-25-2015

Try this instead, then.

index=doccloud_main sourcetype=doccloud_catalina NOT "eedocs"
| lookup client_ooid_to_name OOID OUTPUT clientName
| stats dc(AOID) AS AOIDs by clientName
| sort 10 - AOIDs

If that works, great. If it doesn't, just try the first two lines (the root search and the lookup) and make sure that returns clientName and let me know.

Richfez · ‎08-25-2015

So clientName shows up in other searches, but not in this one? Let's troubleshoot one step at a time to see where it's going wrong.

Start with your root search:

index=doccloud_main sourcetype=doccloud_catalina NOT "eedocs"

Make sure in the results that you have OOID and clientName. If you have OOID but not clientName, there's something not right with the lookup. If you have neither, that information isn't in this particular data. If you have both, that part works. My guess is this that it's one of the first two options because there's little reason the stats and sort wouldn't work if everything else did.

If it HAS clientName, then add your stats to the end and see what happens. The sort is inconsequential and will likely "just work" if the data's already right.

If it did NOT have clientName, then we have more work to do debugging why your automatic lookup is working only on some searches. Could you, in that case, post a search where the lookup works and returns clientName? Comparing that may help us figure out where that's going wrong.

splunkman341 · ‎08-25-2015

Hi Rich and thanks for you're anwser,

In my data, real_name is actually "clientName". With that being said, I have tried inserting clientName into the search you have provided above and it does not generate any statistics. I know the lookup table is correctly set up because I have other searches pointing to that same lookup table and referencing the same "clientName" and are working, I just can't get the right search string going.

Do you have any other suggestions on what to do next?

Mapping OOID number to OOID name

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!