Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to isolate a specific field in a lookup file

msage
Path Finder
‎10-13-2020 11:44 AM

I'm working on a project for work where I want to see employee entry data for specific groups. We have a lookup file that has everyone's cost center that I use to see everyone's entries into an office as well as what team they're in. However now I want to see more granular data by only showing one cost center rather than all of them. Here's my current search that I can't get to work

 

index="myindex" EVDESCR="Access Granted" READERDESC="yes*"
|lookup user_lookup.csv user_employee_number as EMPLOYEE_ID  
|search user_esc_cost_center="specific group"
|timechart span=1d dc(EMPLOYEE_ID) by FIRSTNAME

 

I keep getting 0 results but I'm not sure how else to get around to this. I'm fairly new to Splunk and am basically self teaching with a little help from our other teams. 

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

View solution in original post

Reply
Solved! Jump to solution

msage
Path Finder
‎10-23-2020 10:31 AM

Apologies for the late reply @bowesmana and @inventsekar . To answer your questions yes I can isolate the cost center when using the inputlookup command and it was indeed the timechart that was the culprit. I've figured it out using both your help so thank you very much! In case anyone else stumbles upon this question this is the search I used.

index="my index" EVDESCR="specific event" READERDESC="criteria"
| lookup user_lookup.csv user_employee_number as EMPLOYEE_ID 
|search user_esc_cost_center="specific cost center"
|timechart span=1d dc(CARDNUM) AS EVDESCR
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-13-2020 07:14 PM

Hi @msage .. using inputlookup command, are you able to search/filter out the particular group

|inputlookup user_lookup.csv 
|search user_esc_cost_center="specific group"

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?  We’re excited to announce the latest enhancements to Splunk Observability Cloud and share what’s ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...