topic Re: How to search multiple field values from a table? in Splunk Search

How to search multiple field values from a table?

prashanthberam — Tue, 03 Jan 2017 22:30:44 GMT

I have a lot of details in my table, so I want to search values from some of the fields IN THOSE FIELDS There is one relationship between the 2 fields: memzipassignzip and provassignZip. I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields. I want build the report to search the criteria ..

My search is like this ..

index=$env$
GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ OR provassignZip=$ProvZipCode$|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip

i have given the default values for text boxes '*' but am not getting the results ...could anyone help me ..in this query..

Re: How to search multiple field values from a table?

somesoni2 — Tue, 03 Jan 2017 22:58:30 GMT

Considering following is true, try something like this

"I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields"

 index=$env$
 GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ 
| eval zipcolumnTocheck=coalesce(memzipassignzip,provassignZip)
| search zipcolumnTocheck=$ProvZipCode$ OR zipcolumnTocheck=$MemZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode, ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip

Re: How to search multiple field values from a table?

prashanthberam — Wed, 04 Jan 2017 15:54:31 GMT

hi... i have tried the query you have given but whenever am giving single value it's either memzipcode or porvzipcode am getting whole values so that's reason i have changed my query like this ....
index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip....

even through whenever am searching with with memzipcode and provzipcode am not getting results..except that everything is good...could you please give me some idea ...thanks

Re: How to search multiple field values from a table?

somesoni2 — Wed, 04 Jan 2017 16:23:27 GMT

Try replacing memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$ with (memzipassignzip=$MemZipCode$ OR provassignZip=$ProvZipCode$).

Re: How to search multiple field values from a table?

prashanthberam — Wed, 04 Jan 2017 16:43:05 GMT

i think you misunderstood my question..i will explain you.we have table with above fields...from that table i am trying to filter the fields using GroupNbr, ServiceDate, memzipassignzip,provassignZip ...
so i have build the dashboard with four text boxes. those are GroupNbr, ServiceDate, memzipassignzip,provassignZip. Initially those values are '*' i mean default values.

if i search with only single field i need results, either (GroupNbr, ServiceDate, memzipassignzip,provassignZip).. i can able to retrieve the results if i search only with one field..
if i search with combination of memzipassignzip,provassignZip am not getting the results... for that i have used this query in the dashboard..
index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip

is their anyway ... thanks for helping me ....

Re: How to search multiple field values from a table?

somesoni2 — Wed, 04 Jan 2017 16:57:41 GMT

The filter that you're writing (or want to write) works on each row of the result. But in your data, both memzipassignzip and provassignZip do not exist in same rows, (correct???), so what you want will not work. Other option would be to first run some command to get both the fields populated in all the rows and then filter the way you want.

Re: How to search multiple field values from a table?

prashanthberam — Wed, 04 Jan 2017 16:57:53 GMT

we have table like this this ..... i am giving example some of the fields
id groupnumber serivedate memzipassignzip provassignzip
1 ooo1 2017-1-2 65890 -
2 00002 2017-2-3 - 96580

if i have given the this values in the textbox 65890,96580 in their respective textboxes
i need two rows but am getting not even single one...

Re: How to search multiple field values from a table?

somesoni2 — Wed, 04 Jan 2017 17:00:11 GMT

How about this

index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND ((memzipassignzip=$MemZipCode$ AND provassignZip="-") OR (memzipassignzip="-" AND provassignZip=$ProvZipCode$))
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip

Re: How to search multiple field values from a table?

prashanthberam — Wed, 04 Jan 2017 17:15:16 GMT

thanks bro..it's working...