Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search using my sample data to display two fields under one column and their values under another column in a dashboard?

athorat
Communicator
‎08-15-2016 01:24 PM

I have data flowing in from IVR logs and have three fields I'm using which I want to build a dashboard.
The event will have data either searched by a phone number or field called search.

I want to get column data showing:

ColumnName --->   SearchType       SearchString       Response Count
                  phoneNumber      00001234           0
                  search           0000000000         0

How do I club phoneNumber and search to assign to a field called SearchType and its values to SearchString?

Event 1 (contains logs which uses field search)

>> SearchPost Request: {requestParam={docType=policy, sourceSystem=[hdes, pup], **search**=00001234, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 117

Event 2 (contains logs which uses field phoneNumber)

>> SearchPost Request: {requestParam={docType=policy, **phoneNumber**={value=0000000000, type=[*]}, sourceSystem=[pas, mais, cogen, hdes, pup, sis, maig_auto, maig_home], search=, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 18
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-15-2016 02:01 PM

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-15-2016 02:01 PM

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"
0 Karma
Reply
Solved! Jump to solution

athorat
Communicator
‎08-15-2016 01:54 PM

Thanks @sundareshr
it seems it assigned the proper values but the searchType shows only values for "search"
if I Filter data by SearchType(phoneNumber), SearchString field disappears.

Thanks again for looking into this.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-15-2016 02:02 PM

Is phoneNumber extracted as a field? What do you get when you type this search

...  | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | table search phoneNumber SearchType SearchString
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-15-2016 01:31 PM

Try this

.... | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | stats count by SearchType SearchString
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...