Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Return value from separate fields

kengilmour
Path Finder
‎08-07-2013 02:59 AM

Hello,

I'm looking for a solution to get data from two CSV files that will be used for a one-off search.

I have the following data:

CSV 1

  1. displayName=Full User's Name (e.g. "John Doe")
  2. ManagerRACF= The Manager's User ID (e.g. Jdoe002)
  3. sAMAccountName=User's User ID (e.g. Jdoe001)

CSV 2

  1. First_Name
  2. Last_Name
  3. Token_Nr

What I want to do is get combine CSV2 with CSV1 (easy) and then find the person's manager's full name with nothing more than the ManagerRACF field (unknown).

For the first part:

source=CSV1.csv
|join displayName[search index="main" source="CSV2.csv" | eval displayName=First_Name." ".Last_Name |dedup displayName| fields + displayName]
| table displayName, ManagerRACF, ManagerName, Token_Nr

This will join the two files and show the user's full name, the Manager's UserID and the user's Token number.

Now how do i get ManagerName to translate into the full name of the person's manager from CSV 1 based on the data in the ManagerRACF column? Basically what this means is, I need to find data in ManagerRACF (Jdoe002) search the sAMAccountName column for that value, and then return the results from displayName on that row into the ManagerName column.

Thanks!

Ken

Reply

lguinn2
Legend
‎08-07-2013 02:41 PM

I see that you indexed this data into Splunk, but honestly this doesn't seem like the best way to approach the problem. I think that CSV 1 (can we call it "AccountInfo") should be a lookup table, not indexed into Splunk.

If you load the CSV file into Splunk and create a lookup called AccountLookup (lookup tutorial here and manual here), then you can do this

source=csv2
| eval displayName = First_Name + " " + Last_Name
| lookup AccountLookup displayName OUTPUT ManagerRACF as inRACF
| lookup AccountLookup sAMAccountName as inRACF OUTPUT displayName as ManagerName

That should do it!

Reply

lguinn2
Legend
‎08-09-2013 10:21 AM

I guess all data is "static" - it's just a matter of the time frame! And illustrates the importance of actually understanding the data before making these decisions...

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-09-2013 01:29 AM

Aah, you might be right, I actually read "token" as "userID"

0 Karma
Reply

lguinn2
Legend
‎08-08-2013 11:11 AM

I agree, but I thought maybe the token assigned to the name changed regularly, and I certainily didn't want to get into time-based lookups as a starting point!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-08-2013 03:34 AM

Yep, along my line of thinking as well. Actually both of the CSV's are pretty good candidates for lookup tables, and in my opinion CSV2 is preferable, as you tend to change managers more often than you change your name 🙂

/K

0 Karma
Reply

kengilmour
Path Finder
‎08-07-2013 04:12 AM

Imagine there is a table with two rows:

Headers

displayName, sAMAccountName, ManagerRACF, Token_Nr

Row 1
John Doe, JDoe001, JDoe002, 000000001

Row 2
Jane Doe, JDoe002, JDoe003, 000000002

Splunk should return the results as follows:

displayName, ManagerRACF, ManagerName, Token_Nr
John Doe, JDoe002, Jane Doe, 000000001

The displayName value from row 2 populates "ManagerName" value field in splunk, based on the data in the "ManagerRACF" value field from row 1.

Thanks!

Ken

0 Karma
Reply

kml_uvce
Builder
‎08-07-2013 03:55 AM

can you explain more ...

kamal singh bisht
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...