Solved: search of 2 words in a field not in particular or...

surekhasplunk · ‎03-01-2018

I have a field called Manager Name which come is some files managerforename,managersurname and in some managersurname,managerforename. Now i have another lookup file which has two columns manager fullname and manager surname.
I am doing a concat to update the dropdown with the names of manager like managerforename,managersurname
Now using that token to search and update the tables below to show data for only that manager.

Everything works fine except certain scenarios where the name doesn have an exact match.

Example : From dropdown am getting Mark,Spencer to get a match from another file which has manager name like this: Mark Chalal,Spencer Hodd
So what i want is i just want to get a match if that name is contained in the other file.

|inputlookup employeemanager.csv| search "department name"="$deptname$" |eval "Manager Fullname"='Manager Forename' + "," + 'Manager Surname'| dedup "Manager Fullname"| table "Manager Fullname"

This is the code for the dropdown to get updated with corresponding departments manager names. So i get the manager name in the token say managername

Next i am using the token managername in my panel query

|inputlookup PerformanceData.csv |search "department name"="$deptname$"  "Performance Manager"="$managername$"| stats count as bla bla....

How to do this.

FrankVl · ‎03-01-2018

So you want to make Splunk match "Mark,Spencer" with "Mark Chalal,Spencer Hodd"? For this specific example, it should be possible to come up with some manipulations of the second string to strip out the extra parts. But what if there is also a "Mark David,Spencer Hodd" in the company?

To me this sounds like something that needs to be solved in the systems where you get this data from, either by using some proper identifier for people (personnel number or so), or by using a more consistent way of storing names.

View solution in original post

FrankVl · ‎03-01-2018

So you want to make Splunk match "Mark,Spencer" with "Mark Chalal,Spencer Hodd"? For this specific example, it should be possible to come up with some manipulations of the second string to strip out the extra parts. But what if there is also a "Mark David,Spencer Hodd" in the company?

To me this sounds like something that needs to be solved in the systems where you get this data from, either by using some proper identifier for people (personnel number or so), or by using a more consistent way of storing names.

surekhasplunk · ‎03-01-2018

Hi @FrankVI

Please let me know the manipulations thinking there wont be any of those cases. If something like that will happen then let it return two results for now till the names get fixed in the input files.

surekhasplunk · ‎03-01-2018

Ok can you tell me how to strip everything after comma from the token

FrankVl · ‎03-01-2018

The following modification to your panel search takes the Performance Manager field, pulls out the first firstname and first lastname and then concatenates those together again. (so transforming "Mark Chalal,Spencer Hodd" into "Mark,Spencer").

|inputlookup PerformanceData.csv
| rex field="Performance Manager" "^(?<firstname>\w+)[^,]*,(?<lastname>\w+)"
| eval fullname=firstname+","+lastname
|search "department name"="$deptname$"  fullname="$managername$"| stats count as bla bla....

search of 2 words in a field not in particular order

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!