Solved: Search for either of two values, given only one va...

jhumkey · ‎12-09-2015

I'm trying to lookup all lines that have EITHER a Matching Name or Phone, when given ONLY the Name to search for. And I Know the "Combiner" entry will Always exist, and have both.

EntryTag,Name,Phone
Alpha,Wilma_Flintstone,
Bravo,Wilma_Flintstone,
Charlie,Wilma_Flintstone,
Combiner,Wilma_Flintstone,555-1212
Delta,,555-1212
Echo,,555-1212
Fox,Wilma_Flintstone,555-1212

Assume there are thousands of other lines with different Names and different Phones.

source="SecondarySearch.csv"

returns everything. (All Seven Entries. Alpha,Bravo,Charlie,Combiner,Delta,Echo,Fox)

source="SecondarySearch.csv" EntryTag=Combiner Name=Wilma_Flintstone Phone=* | return 1 iName=Name,iPhone=Phone

Returns . . .
iName="Wilma_Flintstone" iPhone="555-1212"

So, I was hoping to take that successful search (for a line that I know will contain BOTH the Name and Phone and will always exist) and make it a subsearch, where the Human would enter ONLY the
$Name$ Name, "I" within the subsearch would lookup the matching Phone # (from the Combiner EntryTag line that will always exist), then perform an outer search for Name=Wilma_Flintstone OR
Phone=555-1212, like . . .

source="SecondarySearch.csv" Name=iName OR Phone=iPhone [search source="SecondarySearch.csv" EntryTag=Combiner Name=Wilma_Flintstone Phone=* | return 1 iName=Name,iPhone=Phone]

No error, but no results either.

OK, lets try WHERE on the end, instead of Field=Field on the front.

source="SecondarySearch.csv" [search source="SecondarySearch.csv" EntryTag=Combiner Name=Wilma_Flintstone Phone=* | return 1 iName=Name,iPhone=Phone] | WHERE Name=iName OR Phone=iPhone

Again, no error, but no results either.

I KNOW the subsearch by itself finds the Combiner line and returns Wilma_Flintstone and 555-1212 both. I just can't then figure out how to use those two found values to search for ALL the lines that have EITHER the matching Name or Phone#.

sundareshr · ‎12-09-2015

Try this

source="SecondarySearch.csv" Name=Wilma_Flintstone OR  [search source="SecondarySearch.csv" EntryTag=Combiner Name=Wilma_Flintstone Phone=* | return 1 Phone]

If the value for Name is provided by a token in your form, you could change it to

    source="SecondarySearch.csv" Name=$tokName$ OR  [search source="SecondarySearch.csv" EntryTag=Combiner Name=$tokName$ Phone=* | return 1 Phone]

View solution in original post

sundareshr · ‎12-09-2015

Try this

source="SecondarySearch.csv" Name=Wilma_Flintstone OR  [search source="SecondarySearch.csv" EntryTag=Combiner Name=Wilma_Flintstone Phone=* | return 1 Phone]

If the value for Name is provided by a token in your form, you could change it to

    source="SecondarySearch.csv" Name=$tokName$ OR  [search source="SecondarySearch.csv" EntryTag=Combiner Name=$tokName$ Phone=* | return 1 Phone]

jhumkey · ‎12-09-2015

I'll try it tomorrow at work. Though that makes sense. You're searching for Name (which we're given and know) and using the subsearch to return the (previously unknown phone #) and utilize that returned value as part of the SAME search the Name is used in. So it's not the secondary search feeding results to a primary (that didn't work for me), instead you're actually "building" the 2nd half of the primary search criteria, using the secondary. That would never have occurred to me. I'll test and accept tomorrow if it works. Many thanks either way.

jhumkey · ‎12-10-2015

That works great. So I stop trying to return a "stream" of answers from the secondary search, and stop trying to pipe a stream of answers from the primary to a secondary search, but instead . . . just use the secondary search to form the last part of the search criteria for the primary.

sundareshr · ‎12-10-2015

You got it!

lguinn2 · ‎12-09-2015

I think you may be making it far too complicated. Assume that what your user has entered is stored in the token $input$, and the input could contain either a name or a number, and you don't know which it is

Your search could be as simple as

source="SecondarySearch.csv" "$input$"

This will return all lines that have the keyword anywhere in the line, although it won't do partial matches. But try it, just to see what happens.

Next option: Select only when the input appears in one of the two fields

source="SecondarySearch.csv" Name="$input$" OR Phone="$input$"

Variations: use wildcards to match even when the human only supplied partial information (these searches will run slower, mostly due to the leading *s)

source="SecondarySearch.csv" Name="*$input$*" OR Phone="*$input$*"

Of course, if the human is supplying specifc inputs: $name$ and $number$, then you could do this

source="SecondarySearch.csv" Name="$name$" OR Phone="$number$"

which will give you all entries that have either the name or the number or both.

jhumkey · ‎12-09-2015

Thanks, but no, that's solving a different problem. I know with absolute certainty that I'll be given the NAME. But some of the log entries will have ONLY the Phone#. To show the total history for the "person" . . . I need use the Name to lookup the Phone, then performing a 2nd search, I find all three types of log entries. Those with Name only (which the given name would have found), and those with Name+Phone (which the given name also would find), AND those with Phone-Only (which I have to lookup "by association". Name alone wouldn't find the entries that have Phone # only). So I use Name to find Phone, then perform a secondary search by Either Name OR Phone . . . and get all three types of log entries for a complete history. I'm finding the Phone (given the name) fine, but can't then get the secondary search to work. Thanks though.

Search for either of two values, given only one value

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk