Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search using my sample data to display two fields under one column and their values under another column in a dashboard?

athorat
Communicator
‎08-15-2016 01:24 PM

I have data flowing in from IVR logs and have three fields I'm using which I want to build a dashboard.
The event will have data either searched by a phone number or field called search.

I want to get column data showing:

ColumnName --->   SearchType       SearchString       Response Count
                  phoneNumber      00001234           0
                  search           0000000000         0

How do I club phoneNumber and search to assign to a field called SearchType and its values to SearchString?

Event 1 (contains logs which uses field search)

>> SearchPost Request: {requestParam={docType=policy, sourceSystem=[hdes, pup], **search**=00001234, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 117

Event 2 (contains logs which uses field phoneNumber)

>> SearchPost Request: {requestParam={docType=policy, **phoneNumber**={value=0000000000, type=[*]}, sourceSystem=[pas, mais, cogen, hdes, pup, sis, maig_auto, maig_home], search=, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 18
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-15-2016 02:01 PM

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-15-2016 02:01 PM

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"
0 Karma
Reply
Solved! Jump to solution

athorat
Communicator
‎08-15-2016 01:54 PM

Thanks @sundareshr
it seems it assigned the proper values but the searchType shows only values for "search"
if I Filter data by SearchType(phoneNumber), SearchString field disappears.

Thanks again for looking into this.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-15-2016 02:02 PM

Is phoneNumber extracted as a field? What do you get when you type this search

...  | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | table search phoneNumber SearchType SearchString
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-15-2016 01:31 PM

Try this

.... | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | stats count by SearchType SearchString
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...