https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418181#M120276 <P>This is a great solution for problems like this. I've converted your comment as Answer so that you can accept this. Others with similar problem would then know that a working solution is available.</P> Fri, 25 May 2018 15:29:05 GMT somesoni2 2018-05-25T15:29:05Z https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418177#M120272 <P>Hello all!</P> <P>I apologize for the oddly worded question. Currently, I have extracted fields from two separate log formats that provide different spellings of field values.</P> <P>Examples: </P> <P>Field Name: Status<BR /> Field Values: ERROR, INFO, CRITICAL, err, info</P> <P>Since info and INFO are not the same string, this will provide two different metrics to work with. I would like to know if there is someway to merge the "info" into the "INFO" so that it's only seen as one metric. The same applies with err to ERROR as well. And, if there is no way to do this other than by a saved search, I can do that as well. Just let me know!</P> <P>Thanks you so much for your time!</P> Thu, 24 May 2018 21:01:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418177#M120272 thomastaylor 2018-05-24T21:01:15Z https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418178#M120273 <P>Do the distinct field Values are finite list? If yes, you can add a case statement in your search to normalize the values. e.g.</P> <PRE><CODE>...| eval Status=case(match(Status,"^(?i)(ERR)"),"ERROR",match(Status,"^(?i)(INFO)"),"INFO",..other values ) </CODE></PRE> Thu, 24 May 2018 21:25:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418178#M120273 somesoni2 2018-05-24T21:25:10Z https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418179#M120274 <P>Thank you for your answer!</P> <P>We actually found a work-around solution where we tagged the statuses as "INFO" and "ERROR" for all the different log formats. We then did the search: <CODE>index="main" | timechart count by tag::status</CODE> and it achieved what we wanted.</P> Fri, 25 May 2018 13:18:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418179#M120274 thomastaylor 2018-05-25T13:18:21Z https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418180#M120275 <P>Hello,</P> <P>You can use the <CODE>tag</CODE> or <CODE>alias</CODE> in Splunk, that acn help you to manage and organise your data</P> <P>Regards</P> Fri, 25 May 2018 13:33:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418180#M120275 TISKAR 2018-05-25T13:33:27Z https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418181#M120276 <P>This is a great solution for problems like this. I've converted your comment as Answer so that you can accept this. Others with similar problem would then know that a working solution is available.</P> Fri, 25 May 2018 15:29:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-Field-Values-represent-other-field-values/m-p/418181#M120276 somesoni2 2018-05-25T15:29:05Z