Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

events with the same id and sourcetype but different name field

leirga11
New Member
‎12-06-2017 07:13 PM

I've been working on a project and have been uploading several files on splunk. One of which is a headcount report that contains details of several people. the problem comes when a person changes his/her name(eg. when a girl marries and changes her lastname).

ID Name sourcetype
001 jasmin.i.quito st_headcount
001 jasmin.q.carcamo st_headcount

is there way that i can reference the old name to the new name? like tags or aliases?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-07-2017 09:00 AM

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-07-2017 09:00 AM

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

0 Karma
Reply
Solved! Jump to solution

leirga11
New Member
‎12-07-2017 10:32 PM

thanks, this is really helpful, additional question though, how can I turn the result into a lookup?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-07-2017 10:50 PM

Add | outputlookup YourLookupNameHere.csv

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-07-2017 06:59 AM

Hi eirga11,
if you have a user_ID, you can use a search like this:

index=your_index
| stats values(User_Name) AS User_Name count BY User_ID
| where count>1

In this way you have all the users with more than one name.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎12-07-2017 06:18 AM

You can see all values for Name like this

... | stats values(Name) by ID

And then you can do whatever you need to do with the data.

However, bear in mind at some stage the data that contains the old username will expire, and you will have no record of what the old name was. If you need to track that kind of you could use a lookup, but you'd be better off querying your directory database instead.

There should be many answers - have a google for your specific use case

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...