Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to isolate a specific field in a lookup file

msage
Path Finder
‎10-13-2020 11:44 AM

I'm working on a project for work where I want to see employee entry data for specific groups. We have a lookup file that has everyone's cost center that I use to see everyone's entries into an office as well as what team they're in. However now I want to see more granular data by only showing one cost center rather than all of them. Here's my current search that I can't get to work

 

index="myindex" EVDESCR="Access Granted" READERDESC="yes*"
|lookup user_lookup.csv user_employee_number as EMPLOYEE_ID  
|search user_esc_cost_center="specific group"
|timechart span=1d dc(EMPLOYEE_ID) by FIRSTNAME

 

I keep getting 0 results but I'm not sure how else to get around to this. I'm fairly new to Splunk and am basically self teaching with a little help from our other teams. 

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

View solution in original post

Reply
Solved! Jump to solution

msage
Path Finder
‎10-23-2020 10:31 AM

Apologies for the late reply @bowesmana and @inventsekar . To answer your questions yes I can isolate the cost center when using the inputlookup command and it was indeed the timechart that was the culprit. I've figured it out using both your help so thank you very much! In case anyone else stumbles upon this question this is the search I used.

index="my index" EVDESCR="specific event" READERDESC="criteria"
| lookup user_lookup.csv user_employee_number as EMPLOYEE_ID 
|search user_esc_cost_center="specific cost center"
|timechart span=1d dc(CARDNUM) AS EVDESCR
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-13-2020 07:14 PM

Hi @msage .. using inputlookup command, are you able to search/filter out the particular group

|inputlookup user_lookup.csv 
|search user_esc_cost_center="specific group"

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2020 07:10 PM

@msage 

Does your lookup find the EMPLOYEE_ID field in the and return the fields from that employee, i.e. if you do

| table EMPLOYEE_ID FIRSTNAME user_esc_cost_center

after the lookup command, do you see the employees and their names+cost centres?  Is FIRSTNAME from your data or the lookup?

if so, then the timechart command is the culprit. In any case, is that timechart command doing what you want, i.e. it will show you per day, the number of unique employee ids for each first name, e.g.

Today, Peter, 10 employees

Yesterday, Jane, 4 employees

but if you are getting no results, then do you have a field called FIRSTNAME

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top