Getting Data In

events with the same id and sourcetype but different name field

leirga11
New Member

I've been working on a project and have been uploading several files on splunk. One of which is a headcount report that contains details of several people. the problem comes when a person changes his/her name(eg. when a girl marries and changes her lastname).

ID Name sourcetype
001 jasmin.i.quito st_headcount
001 jasmin.q.carcamo st_headcount

is there way that i can reference the old name to the new name? like tags or aliases?

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

0 Karma

leirga11
New Member

thanks, this is really helpful, additional question though, how can I turn the result into a lookup?

0 Karma

woodcock
Esteemed Legend

Add | outputlookup YourLookupNameHere.csv

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi eirga11,
if you have a user_ID, you can use a search like this:

index=your_index
| stats values(User_Name) AS User_Name count BY User_ID
| where count>1

In this way you have all the users with more than one name.

Bye.
Giuseppe

0 Karma

jplumsdaine22
Influencer

You can see all values for Name like this

... | stats values(Name) by ID

And then you can do whatever you need to do with the data.

However, bear in mind at some stage the data that contains the old username will expire, and you will have no record of what the old name was. If you need to track that kind of you could use a lookup, but you'd be better off querying your directory database instead.

There should be many answers - have a google for your specific use case

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...