I've been working on a project and have been uploading several files on splunk. One of which is a headcount report that contains details of several people. the problem comes when a person changes his/her name(eg. when a girl marries and changes her lastname).
ID Name sourcetype
001 jasmin.i.quito st_headcount
001 jasmin.q.carcamo st_headcount
is there way that i can reference the old name to the new name? like tags or aliases?
If you do not have another definitive field, you can create a lookup file containing 2 columns: name
and alias
and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:
| eval names = mvjoin(name, alias)
Then use the mv names
field.
If you do not have another definitive field, you can create a lookup file containing 2 columns: name
and alias
and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:
| eval names = mvjoin(name, alias)
Then use the mv names
field.
thanks, this is really helpful, additional question though, how can I turn the result into a lookup?
Add | outputlookup YourLookupNameHere.csv
Hi eirga11,
if you have a user_ID, you can use a search like this:
index=your_index
| stats values(User_Name) AS User_Name count BY User_ID
| where count>1
In this way you have all the users with more than one name.
Bye.
Giuseppe
You can see all values for Name like this
... | stats values(Name) by ID
And then you can do whatever you need to do with the data.
However, bear in mind at some stage the data that contains the old username will expire, and you will have no record of what the old name was. If you need to track that kind of you could use a lookup, but you'd be better off querying your directory database instead.
There should be many answers - have a google for your specific use case