Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to isolate a specific field in a lookup file

msage
Path Finder
‎10-13-2020 11:44 AM

I'm working on a project for work where I want to see employee entry data for specific groups. We have a lookup file that has everyone's cost center that I use to see everyone's entries into an office as well as what team they're in. However now I want to see more granular data by only showing one cost center rather than all of them. Here's my current search that I can't get to work

 

index="myindex" EVDESCR="Access Granted" READERDESC="yes*"
|lookup user_lookup.csv user_employee_number as EMPLOYEE_ID  
|search user_esc_cost_center="specific group"
|timechart span=1d dc(EMPLOYEE_ID) by FIRSTNAME

 

I keep getting 0 results but I'm not sure how else to get around to this. I'm fairly new to Splunk and am basically self teaching with a little help from our other teams. 

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

View solution in original post

Reply
Solved! Jump to solution

msage
Path Finder
‎10-23-2020 10:31 AM

Apologies for the late reply @bowesmana and @inventsekar . To answer your questions yes I can isolate the cost center when using the inputlookup command and it was indeed the timechart that was the culprit. I've figured it out using both your help so thank you very much! In case anyone else stumbles upon this question this is the search I used.

index="my index" EVDESCR="specific event" READERDESC="criteria"
| lookup user_lookup.csv user_employee_number as EMPLOYEE_ID 
|search user_esc_cost_center="specific cost center"
|timechart span=1d dc(CARDNUM) AS EVDESCR
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-13-2020 07:14 PM

Hi @msage .. using inputlookup command, are you able to search/filter out the particular group

|inputlookup user_lookup.csv 
|search user_esc_cost_center="specific group"

 

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...