Solved: Re: How to write a search using my sample data to ...

athorat · ‎08-15-2016

I have data flowing in from IVR logs and have three fields I'm using which I want to build a dashboard.
The event will have data either searched by a phone number or field called search.

I want to get column data showing:

ColumnName --->   SearchType       SearchString       Response Count
                  phoneNumber      00001234           0
                  search           0000000000         0

How do I club phoneNumber and search to assign to a field called SearchType and its values to SearchString?

Event 1 (contains logs which uses field search)

>> SearchPost Request: {requestParam={docType=policy, sourceSystem=[hdes, pup], **search**=00001234, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 117

Event 2 (contains logs which uses field phoneNumber)

>> SearchPost Request: {requestParam={docType=policy, **phoneNumber**={value=0000000000, type=[*]}, sourceSystem=[pas, mais, cogen, hdes, pup, sis, maig_auto, maig_home], search=, prodTypeCode=[au, ho, pup, pu, pa], policyStatus=[active, renewal secured, lapsed]}, header={channelType=DSU, agency=null, requestType=IVR, agent=null}}, **Response Count: 0**, Total Time Taken: 18

somesoni2 · ‎08-15-2016

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"

View solution in original post

somesoni2 · ‎08-15-2016

Give this a try

your base search | table "Response Count" search phoneNumber | untable  "Response Count" "Search Type" "Search String"
| table "Search Type" "Search String"  "Response Count"

athorat · ‎08-15-2016

Thanks @sundareshr
it seems it assigned the proper values but the searchType shows only values for "search"
if I Filter data by SearchType(phoneNumber), SearchString field disappears.

Thanks again for looking into this.

sundareshr · ‎08-15-2016

Is phoneNumber extracted as a field? What do you get when you type this search

...  | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | table search phoneNumber SearchType SearchString

sundareshr · ‎08-15-2016

Try this

.... | eval SearchType=case(isnotnull(search), "search", isnotnull(phoneNumber), "phoneNumber", 1=1, "other") | eval SearchString=coalesce(search, phoneNnumber) | stats count by SearchType SearchString

How to write a search using my sample data to display two fields under one column and their values under another column in a dashboard?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation