Splunk Search

How to search multiple field values from a table?

prashanthberam
Explorer

I have a lot of details in my table, so I want to search values from some of the fields IN THOSE FIELDS There is one relationship between the 2 fields: memzipassignzip and provassignZip. I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields. I want build the report to search the criteria ..

My search is like this ..

index=$env$
GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ OR provassignZip=$ProvZipCode$|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip 

i have given the default values for text boxes '*' but am not getting the results ...could anyone help me ..in this query..

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Considering following is true, try something like this

"I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields"

 index=$env$
 GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ 
| eval zipcolumnTocheck=coalesce(memzipassignzip,provassignZip)
| search zipcolumnTocheck=$ProvZipCode$ OR zipcolumnTocheck=$MemZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode, ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Considering following is true, try something like this

"I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields"

 index=$env$
 GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ 
| eval zipcolumnTocheck=coalesce(memzipassignzip,provassignZip)
| search zipcolumnTocheck=$ProvZipCode$ OR zipcolumnTocheck=$MemZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode, ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip 
0 Karma

prashanthberam
Explorer

hi... i have tried the query you have given but whenever am giving single value it's either memzipcode or porvzipcode am getting whole values so that's reason i have changed my query like this ....
index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip....

even through whenever am searching with with memzipcode and provzipcode am not getting results..except that everything is good...could you please give me some idea ...thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try replacing memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$ with (memzipassignzip=$MemZipCode$ OR provassignZip=$ProvZipCode$).

0 Karma

prashanthberam
Explorer

i think you misunderstood my question..i will explain you.we have table with above fields...from that table i am trying to filter the fields using GroupNbr, ServiceDate, memzipassignzip,provassignZip ...
so i have build the dashboard with four text boxes. those are GroupNbr, ServiceDate, memzipassignzip,provassignZip. Initially those values are '*' i mean default values.

if i search with only single field i need results, either (GroupNbr, ServiceDate, memzipassignzip,provassignZip).. i can able to retrieve the results if i search only with one field..
if i search with combination of memzipassignzip,provassignZip am not getting the results... for that i have used this query in the dashboard..
index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip

is their anyway ... thanks for helping me ....

0 Karma

prashanthberam
Explorer

we have table like this this ..... i am giving example some of the fields
id groupnumber serivedate memzipassignzip provassignzip
1 ooo1 2017-1-2 65890 -
2 00002 2017-2-3 - 96580

if i have given the this values in the textbox 65890,96580 in their respective textboxes
i need two rows but am getting not even single one...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this

index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND ((memzipassignzip=$MemZipCode$ AND provassignZip="-") OR (memzipassignzip="-" AND provassignZip=$ProvZipCode$))
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip
0 Karma

prashanthberam
Explorer

thanks bro..it's working...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The filter that you're writing (or want to write) works on each row of the result. But in your data, both memzipassignzip and provassignZip do not exist in same rows, (correct???), so what you want will not work. Other option would be to first run some command to get both the fields populated in all the rows and then filter the way you want.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...