https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754871#M18536 <P>index=myindex&nbsp; (&nbsp;"Sign-up experience experiment not allowed" OR&nbsp;"Sign-up experience experiment allowed" OR&nbsp;"experiments.1" )</P><P>SO, there are three string searches; the first tow differ in a "not" inside the text.</P><P>I would like to do a stats to count for the appearance of each, e.g.</P><P>| stats count by&nbsp; &lt;var&gt;</P><P>&nbsp;</P> Tue, 28 Oct 2025 18:26:49 GMT gsbpp 2025-10-28T18:26:49Z https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754871#M18536 <P>index=myindex&nbsp; (&nbsp;"Sign-up experience experiment not allowed" OR&nbsp;"Sign-up experience experiment allowed" OR&nbsp;"experiments.1" )</P><P>SO, there are three string searches; the first tow differ in a "not" inside the text.</P><P>I would like to do a stats to count for the appearance of each, e.g.</P><P>| stats count by&nbsp; &lt;var&gt;</P><P>&nbsp;</P> Tue, 28 Oct 2025 18:26:49 GMT https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754871#M18536 gsbpp 2025-10-28T18:26:49Z https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754875#M18537 <P>If the searched-for strings are in a known field then you can use that field in the <FONT face="courier new,courier">stats</FONT> command.</P><LI-CODE lang="markup">index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" ) | stats count by foo</LI-CODE><P>OTOH, if the strings can be anywhere then it gets more involved.&nbsp; We need to create a field for the <FONT face="courier new,courier">stats</FONT> command to use.</P><LI-CODE lang="markup">index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" ) | eval foo=case(searchmatch("Sign-up experience experiment not allowed"),"Not allowed", searchmatch("Sign-up experience experiment allowed"), "Allowed", searchmatch("experiments.1"), "Experiments", 1==1, "Other" ) | stats count by foo</LI-CODE> Tue, 28 Oct 2025 19:11:13 GMT https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754875#M18537 richgalloway 2025-10-28T19:11:13Z https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754907#M18538 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224402">@gsbpp</a>&nbsp;<BR />You can try something below to match and do a stats count.</P><LI-CODE lang="markup">index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" ) | eval phrase=case( searchmatch("Sign-up experience experiment not allowed"), "Sign-up experience experiment not allowed", searchmatch("Sign-up experience experiment allowed"), "Sign-up experience experiment allowed", searchmatch("experiments.1"), "experiments.1" ) | stats count by phrase</LI-CODE><P><BR />Regards,<BR />Prewin<BR /><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span>If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Wed, 29 Oct 2025 06:01:17 GMT https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754907#M18538 PrewinThomas 2025-10-29T06:01:17Z https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754977#M18539 <P>It worked. Thank you!</P> Thu, 30 Oct 2025 14:51:44 GMT https://community.splunk.com/t5/Security/use-strings-values-as-a-variable-to-do-stats/m-p/754977#M18539 gsbpp 2025-10-30T14:51:44Z