Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

events with the same id and sourcetype but different name field

leirga11
New Member
‎12-06-2017 07:13 PM

I've been working on a project and have been uploading several files on splunk. One of which is a headcount report that contains details of several people. the problem comes when a person changes his/her name(eg. when a girl marries and changes her lastname).

ID Name sourcetype
001 jasmin.i.quito st_headcount
001 jasmin.q.carcamo st_headcount

is there way that i can reference the old name to the new name? like tags or aliases?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-07-2017 09:00 AM

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-07-2017 09:00 AM

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

0 Karma
Reply
Solved! Jump to solution

leirga11
New Member
‎12-07-2017 10:32 PM

thanks, this is really helpful, additional question though, how can I turn the result into a lookup?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-07-2017 10:50 PM

Add | outputlookup YourLookupNameHere.csv

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-07-2017 06:59 AM

Hi eirga11,
if you have a user_ID, you can use a search like this:

index=your_index
| stats values(User_Name) AS User_Name count BY User_ID
| where count>1

In this way you have all the users with more than one name.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎12-07-2017 06:18 AM

You can see all values for Name like this

... | stats values(Name) by ID

And then you can do whatever you need to do with the data.

However, bear in mind at some stage the data that contains the old username will expire, and you will have no record of what the old name was. If you need to track that kind of you could use a lookup, but you'd be better off querying your directory database instead.

There should be many answers - have a google for your specific use case

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...