Getting Data In

events with the same id and sourcetype but different name field

leirga11
New Member

I've been working on a project and have been uploading several files on splunk. One of which is a headcount report that contains details of several people. the problem comes when a person changes his/her name(eg. when a girl marries and changes her lastname).

ID Name sourcetype
001 jasmin.i.quito st_headcount
001 jasmin.q.carcamo st_headcount

is there way that i can reference the old name to the new name? like tags or aliases?

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you do not have another definitive field, you can create a lookup file containing 2 columns: name and alias and put all the aliases with every pairing (2 is 2 rows, 3 is 4 rows, etc). Then do a lookup and after that do this:

| eval names = mvjoin(name, alias)

Then use the mv names field.

0 Karma

leirga11
New Member

thanks, this is really helpful, additional question though, how can I turn the result into a lookup?

0 Karma

woodcock
Esteemed Legend

Add | outputlookup YourLookupNameHere.csv

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi eirga11,
if you have a user_ID, you can use a search like this:

index=your_index
| stats values(User_Name) AS User_Name count BY User_ID
| where count>1

In this way you have all the users with more than one name.

Bye.
Giuseppe

0 Karma

jplumsdaine22
Influencer

You can see all values for Name like this

... | stats values(Name) by ID

And then you can do whatever you need to do with the data.

However, bear in mind at some stage the data that contains the old username will expire, and you will have no record of what the old name was. If you need to track that kind of you could use a lookup, but you'd be better off querying your directory database instead.

There should be many answers - have a google for your specific use case

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...