How to perform search only using PhoneNum?

hkchew · ‎12-11-2017

I have 2 sourcetypes:
Eg. sourcetypeA has fields such as ServiceProvider, GroupID, DeviceUsed, DeviceSerialNum
sourcetypeB has fields such as Name, GroupID, PhoneNum, VAS1, VAS2

When I search using PhoneNum ONLY, the result needs to display PhoneNum, GroupID, DeviceUsed, DeviceSerialNum

hkchew · ‎12-12-2017

Thank you guys but none of the above works.
The field name of the groupid is different in both sourcetype although groupdid is found in the field#2 of both sourcetype

hkchew · ‎12-12-2017

Thank you, guys but none of the above works.
The field name of GroupID of sourcetypeA is different from sourcetypeB although both GroupID are found on field#2 in both sourcetype.

somesoni2 · ‎12-11-2017

Try like this

(sourcetype=sourcetypeA) OR (sourcetype=sourcetypeB PhoneNum="YourSearchedPhoneNumHere")
| fields GroupID, DeviceUsed, DeviceSerialNum PhoneNum
| stats values(PhoneNum) as PhoneNum values(DeviceUsed) as DeviceUsed values(DeviceSerialNum) as DeviceSerialNum by GroupID
| where isnotnull(PhoneNum)

sbbadri · ‎12-11-2017

@hkchew

i hope this helps

How to perform search only using PhoneNum?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms