Splunk Search

How to write a search using my sample data to display two fields under one column and their values under another column in a dashboard?

athorat
Communicator

I have data flowing in from IVR logs and have three fields I'm using which I want to build a dashboard.
The event will have data either searched by a phone number or field called search.

I want to get column data showing:

ColumnName --->   SearchType       SearchString       Response Count
                  phoneNumber      00001234           0
                  search           0000000000         0

How do I club phoneNumber and search to assign to a field called SearchType and its values to SearchString?

Event 1 (contains logs which uses field search)

>> SearchPost Request: {requestParam={docType=policy, sourceSystem=[hdes, pup], **search**=00001234, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 117

Event 2 (contains logs which uses field phoneNumber)

>> SearchPost Request: {requestParam={docType=policy, **phoneNumber**={value=0000000000, type=[*]}, sourceSystem=[pas, mais, cogen, hdes, pup, sis, maig_auto, maig_home], search=, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 18
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"

View solution in original post

0 Karma

somesoni2
Revered Legend

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"
0 Karma

athorat
Communicator

Thanks @sundareshr
it seems it assigned the proper values but the searchType shows only values for "search"
if I Filter data by SearchType(phoneNumber), SearchString field disappears.

Thanks again for looking into this.

0 Karma

sundareshr
Legend

Is phoneNumber extracted as a field? What do you get when you type this search

...  | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | table search phoneNumber SearchType SearchString
0 Karma

sundareshr
Legend

Try this

.... | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | stats count by SearchType SearchString
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...