Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field value comparison

abdul
Explorer
‎06-22-2021 01:28 AM

Hi,

want to achieve daily,weekly ,monthly,  yearly report

empDirectory.csv contains Employee ID,Employee  Name, Manager ,ManagerID

one.CSV contains Date1 and EMP_ID1
Two.csv contains Date2 and EMP_ID2
want to compare employee from Two.csv  is present in one.csv on particular date. 
below is my query. 

| inputlookup one.CSV
|dedup EMP_ID1,Date
|lookup empDirectory.csv EMP_ID as EMP_ID1
|search ManagerID=Manager1
|table Date1,EMP_ID1,ManagerID
|join
[ inputlookup two.CSV
|dedup EMP_ID2, Date2
|lookup empDirectory.csv EMP_ID as EMP_ID2
|search ManagerID=Manager1
|table Date2,EMP_ID2]
|table Date1,EMP_ID1,ManagerID,Date2,EMP_ID2
|eval GoodEMP=if(EMP_ID1=EMP_ID2, "Good", "NotGood")
|search GoodEMP=GoodEMP
|table GoodEMP,Employee ID,Employee  Name, Manager ,ManagerID

extending above query to timechart

|timechart count(GoodEMP) as GoodEMP by Date2


expected result
Total number of GoodEMP per day under manager 
want to create monthly,weekly, yearly graph 

Labels (3)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 02:13 AM

A couple of things which don't look quite right, although since this looks like a anonymised example, perhaps they are OK in your real search

The two halves of the join don't have any common fields so nothing will join.

Assuming this is fixed so that you can join by id and date, you could move the look up for manager to after the join so you only need to do it once.

If you do a left join, and join by id and date, and include a field from the second search that isn't in the first search, you will be able to tell which are good (by the presence of the field), e.g. eval good="Good"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...