https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47416#M11315 <P>I have a ton of useragent type fields, like MacOutlook/some_version_x_os_version_etc and Entourage/other_version_x_os_version_etc. How can I group these for reporting so they all show up as MacOutlook and Entourage?</P> Sat, 19 Feb 2011 04:53:23 GMT the_wolverine 2011-02-19T04:53:23Z https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47416#M11315 <P>I have a ton of useragent type fields, like MacOutlook/some_version_x_os_version_etc and Entourage/other_version_x_os_version_etc. How can I group these for reporting so they all show up as MacOutlook and Entourage?</P> Sat, 19 Feb 2011 04:53:23 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47416#M11315 the_wolverine 2011-02-19T04:53:23Z https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47417#M11316 <P>You can always use a rex to pull out a subset of the field. For example, if you just want to pull the contents of the useragent field before the /, you could do the following:</P> <PRE><CODE>YourSearch | rex field=useragent "^(?&lt;GeneralAgent&gt;.*?)/" | stats count by GeneralAgent </CODE></PRE> <P>If you don't have the useragent already pulled out, you could expand that:</P> <PRE><CODE>YourSearch | rex field=_raw "UserAgent=(?&lt;GeneralAgent&gt;.*?)/" | stats count by GeneralAgent </CODE></PRE> <P>You can then move that extraction into your props.conf to make it permanent.</P> Sat, 19 Feb 2011 05:00:48 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47417#M11316 David 2011-02-19T05:00:48Z https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47418#M11317 <P>1) It's a pretty manual technique, but you can do it with eval, if and searchmatch. </P> <P>For example, this string of evals will create a field called userAgentType whose values are just Entourage, MacOutlook and Other. </P> <PRE><CODE>&lt;your search&gt; | eval userAgentType=if(searchmatch("useragent=*Entourage*"), "Entourage",userAgentType) | eval userAgentType=if(searchmatch("useragent=*MacOutlook*"), "MacOutlook",userAgentType) | eval userAgentType=if(isnull(userAgentType),"Other", userAgentType) </CODE></PRE> <P>and to tack a chart on the end: </P> <PRE><CODE>&lt;your search&gt; | eval userAgentType=if(searchmatch("useragent=*Entourage*"), "Entourage",userAgentType) | eval userAgentType=if(searchmatch("useragent=*MacOutlook*"), "MacOutlook",userAgentType) | eval userAgentType=if(isnull(userAgentType),"Other", userAgentType) | timechart count by userAgentType </CODE></PRE> <P>2) Another way you could do it, is to create a bunch of eventtypes that match based on userAgent, and then just do searches with <CODE>by eventtype</CODE> on the end. In that scenario though you'd have to be careful not to have overlapping eventtypes, as well as to somehow filter out all of the eventtypes that have nothing to do with 'useragent-ness'</P> Sat, 19 Feb 2011 05:54:48 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-similar-fields-using-search-syntax/m-p/47418#M11317 sideview 2011-02-19T05:54:48Z