Splunk Search

How to search multiple field values from a table?

Explorer

I have a lot of details in my table, so I want to search values from some of the fields IN THOSE FIELDS There is one relationship between the 2 fields: memzipassignzip and provassignZip. I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields. I want build the report to search the criteria ..

My search is like this ..

index=$env$
GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ OR provassignZip=$ProvZipCode$|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip 

i have given the default values for text boxes '*' but am not getting the results ...could anyone help me ..in this query..

0 Karma
1 Solution

Revered Legend

Considering following is true, try something like this

"I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields"

 index=$env$
 GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ 
| eval zipcolumnTocheck=coalesce(memzipassignzip,provassignZip)
| search zipcolumnTocheck=$ProvZipCode$ OR zipcolumnTocheck=$MemZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode, ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip 

View solution in original post

0 Karma

Revered Legend

Considering following is true, try something like this

"I provassignZip has the value, memzipassignzip value is empty, and if the memzipassignzip has the value, provassignZip value is empty in their respective fields"

 index=$env$
 GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ 
| eval zipcolumnTocheck=coalesce(memzipassignzip,provassignZip)
| search zipcolumnTocheck=$ProvZipCode$ OR zipcolumnTocheck=$MemZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode, ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip 

View solution in original post

0 Karma

Explorer

hi... i have tried the query you have given but whenever am giving single value it's either memzipcode or porvzipcode am getting whole values so that's reason i have changed my query like this ....
index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip....

even through whenever am searching with with memzipcode and provzipcode am not getting results..except that everything is good...could you please give me some idea ...thanks

0 Karma

Revered Legend

Try replacing memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$ with (memzipassignzip=$MemZipCode$ OR provassignZip=$ProvZipCode$).

0 Karma

Explorer

i think you misunderstood my question..i will explain you.we have table with above fields...from that table i am trying to filter the fields using GroupNbr, ServiceDate, memzipassignzip,provassignZip ...
so i have build the dashboard with four text boxes. those are GroupNbr, ServiceDate, memzipassignzip,provassignZip. Initially those values are '*' i mean default values.

if i search with only single field i need results, either (GroupNbr, ServiceDate, memzipassignzip,provassignZip).. i can able to retrieve the results if i search only with one field..
if i search with combination of memzipassignzip,provassignZip am not getting the results... for that i have used this query in the dashboard..
index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND memzipassignzip=$MemZipCode$ AND provassignZip=$ProvZipCode$
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip

is their anyway ... thanks for helping me ....

0 Karma

Explorer

we have table like this this ..... i am giving example some of the fields
id groupnumber serivedate memzipassignzip provassignzip
1 ooo1 2017-1-2 65890 -
2 00002 2017-2-3 - 96580

if i have given the this values in the textbox 65890,96580 in their respective textboxes
i need two rows but am getting not even single one...

0 Karma

Revered Legend

How about this

index=$env$ | fillnull value=- provassignZip,memzipassignzip |search GroupNbr=$GroupNbr$ AND ServiceDate=$ServiceDate$ AND ((memzipassignzip=$MemZipCode$ AND provassignZip="-") OR (memzipassignzip="-" AND provassignZip=$ProvZipCode$))
|table id,Info,StartTime,EndTime,duration,StatusCode,StatusMessage,corpEntCd,Costlvlpctl,cptCode,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,GroupNbr,memzipassignzip,provassignZip
0 Karma

Explorer

thanks bro..it's working...

0 Karma

Revered Legend

The filter that you're writing (or want to write) works on each row of the result. But in your data, both memzipassignzip and provassignZip do not exist in same rows, (correct???), so what you want will not work. Other option would be to first run some command to get both the fields populated in all the rows and then filter the way you want.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!