Splunk Search

How to write a search using my sample data to display two fields under one column and their values under another column in a dashboard?

athorat
Communicator

I have data flowing in from IVR logs and have three fields I'm using which I want to build a dashboard.
The event will have data either searched by a phone number or field called search.

I want to get column data showing:

ColumnName --->   SearchType       SearchString       Response Count
                  phoneNumber      00001234           0
                  search           0000000000         0

How do I club phoneNumber and search to assign to a field called SearchType and its values to SearchString?

Event 1 (contains logs which uses field search)

>> SearchPost Request: {requestParam={docType=policy, sourceSystem=[hdes, pup], **search**=00001234, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 117

Event 2 (contains logs which uses field phoneNumber)

>> SearchPost Request: {requestParam={docType=policy, **phoneNumber**={value=0000000000, type=[*]}, sourceSystem=[pas, mais, cogen, hdes, pup, sis, maig_auto, maig_home], search=, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 18
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"
0 Karma

athorat
Communicator

Thanks @sundareshr
it seems it assigned the proper values but the searchType shows only values for "search"
if I Filter data by SearchType(phoneNumber), SearchString field disappears.

Thanks again for looking into this.

0 Karma

sundareshr
Legend

Is phoneNumber extracted as a field? What do you get when you type this search

...  | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | table search phoneNumber SearchType SearchString
0 Karma

sundareshr
Legend

Try this

.... | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | stats count by SearchType SearchString
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...