Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join table of usertypes with user detail
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spammenot66
Contributor
03-13-2021
02:08 AM
I have a table of users and their position level across an organization. How would i join the table of positions and get their internal & external ids and fill in the column with bold green fonts?
Desired tabled:
| Name | Level | Internal ID | External ID |
| User 1 | Level1 | 904787 | ZZ88985 |
| User 2 | Level2 | 927819 | ZZ55135 |
| User 3 | Level2 | 701876 | ZZ64157 |
| User 4 | Level3 | 166387 | ZZ89635 |
| User 5 | Level3 | 73914 | ZZ93585 |
| User 6 | Level3 | 394497 | ZZ65026 |
| User 7 | Level3 | 200662 | ZZ99972 |
| User 8 | Level3 | 925192 | ZZ94890 |
| User 9 | Level4 | 254770 | ZZ45273 |
| User 10 | Level4 | 174055 | ZZ55961 |
| User 11 | Level4 | 344944 | ZZ81383 |
| User 12 | Level4 | 114436 | ZZ37757 |
| User 13 | Level4 | 672453 | ZZ68642 |
| User 14 | Level4 | 992512 | ZZ82497 |
| User 15 | Level4 | 915758 | ZZ33143 |
Based on the two tables below:
table of positions.
| Level 1 | Level2 | Level3 | Level4 |
| User 1 | User 2 | User 4 | User 9 |
| User 1 | User 2 | User 4 | User 10 |
| User 1 | User 2 | User 5 | User 11 |
| User 1 | User 2 | User 6 | User 12 |
| User 1 | User 3 | User 6 | User 13 |
| User 1 | User 3 | User 7 | User 14 |
| User 1 | User 3 | User 8 | User 15 |
User ID Detail
| UserID | Internal ID | External ID |
| User 1 | 773236 | ZZ60307 |
| User 2 | 720417 | ZZ91613 |
| User 3 | 327957 | ZZ36532 |
| User 4 | 865654 | ZZ28800 |
| User 5 | 128875 | ZZ67338 |
| User 6 | 858309 | ZZ60570 |
| User 7 | 878572 | ZZ56897 |
| User 8 | 804657 | ZZ72104 |
| User 9 | 90130 | ZZ13737 |
| User 10 | 983968 | ZZ68473 |
| User 11 | 33431 | ZZ88498 |
| User 12 | 205262 | ZZ93466 |
| User 13 | 505492 | ZZ45170 |
| User 14 | 876947 | ZZ91395 |
| User 15 | 229730 | ZZ18609 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-13-2021
07:29 AM
Transpose the positions table so it can be joined to the userid table
| makeresults | eval _raw="Level1,Level2,Level3,Level4
User 1,User 2,User 4,User 9
User 1,User 2,User 4,User 10
User 1,User 2,User 5,User 11
User 1,User 2,User 6,User 12
User 1,User 3,User 6,User 13
User 1,User 3,User 7,User 14
User 1,User 3,User 8,User 15"
| multikv forceheader=1
| fields - _* linecount
| stats values(*) as *
| transpose 0 column_name=Level
| rename "row 1" as UserID
| mvexpand UserID- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
03-13-2021
12:26 PM
Expanding on @ITWhisperer's answer:
| inputlookup spammenot66_levels.csv
| stats values(*) as *
| transpose 0 column_name=Level
| rename "row 1" as UserID
| mvexpand UserID
| inputlookup append=t spammenot66_users.csv
| stats values(Level) as Level values(External ID) as "External ID" values(Internal ID) as "Internal ID" by UserID
| rename UserID as Name
| rex field=Name "(?<sort_key>\d+)"
| sort 0 sort_key
| fields - sort_key- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-13-2021
07:29 AM
Transpose the positions table so it can be joined to the userid table
| makeresults | eval _raw="Level1,Level2,Level3,Level4
User 1,User 2,User 4,User 9
User 1,User 2,User 4,User 10
User 1,User 2,User 5,User 11
User 1,User 2,User 6,User 12
User 1,User 3,User 6,User 13
User 1,User 3,User 7,User 14
User 1,User 3,User 8,User 15"
| multikv forceheader=1
| fields - _* linecount
| stats values(*) as *
| transpose 0 column_name=Level
| rename "row 1" as UserID
| mvexpand UserID- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spammenot66
Contributor
03-14-2021
07:51 PM
@ITWhisperer, @tscroggins - I finally figured out a solution a couple hours after posting this. But your solution is by far, more elegant and simpler than mine. Thank you 3000
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
