Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to isolate a specific field in a lookup file

msage
Path Finder
‎10-13-2020 11:44 AM

I'm working on a project for work where I want to see employee entry data for specific groups. We have a lookup file that has everyone's cost center that I use to see everyone's entries into an office as well as what team they're in. However now I want to see more granular data by only showing one cost center rather than all of them. Here's my current search that I can't get to work

 

index="myindex" EVDESCR="Access Granted" READERDESC="yes*"
|lookup user_lookup.csv user_employee_number as EMPLOYEE_ID  
|search user_esc_cost_center="specific group"
|timechart span=1d dc(EMPLOYEE_ID) by FIRSTNAME

 

I keep getting 0 results but I'm not sure how else to get around to this. I'm fairly new to Splunk and am basically self teaching with a little help from our other teams. 

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

View solution in original post

Reply
Solved! Jump to solution

msage
Path Finder
‎10-23-2020 10:31 AM

Apologies for the late reply @bowesmana and @inventsekar . To answer your questions yes I can isolate the cost center when using the inputlookup command and it was indeed the timechart that was the culprit. I've figured it out using both your help so thank you very much! In case anyone else stumbles upon this question this is the search I used.

index="my index" EVDESCR="specific event" READERDESC="criteria"
| lookup user_lookup.csv user_employee_number as EMPLOYEE_ID 
|search user_esc_cost_center="specific cost center"
|timechart span=1d dc(CARDNUM) AS EVDESCR
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-13-2020 07:14 PM

Hi @msage .. using inputlookup command, are you able to search/filter out the particular group

|inputlookup user_lookup.csv 
|search user_esc_cost_center="specific group"

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top