topic How do I rename field values and add up the count(*) if the value is the same? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445244#M126310 <P>How do I rename field values, and if the values are same, add up the corresponding count value?</P> <PRE><CODE>index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*" | stats count(StatusCode) AS NoOfFailures by StatusCode </CODE></PRE> <P>The result i get is </P> <PRE><CODE>StatusCode | count(StatusCode) 206 Partial Content | 5 400 Bad Request | 8 404 Not Found | 3 </CODE></PRE> <P>Then i add rename for the fields</P> <PRE><CODE>index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*" | stats count(StatusCode) AS NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures </CODE></PRE> <P>The result i get is</P> <PRE><CODE>StatusCode | count(StatusCode) LOW | 5 Medium | 8 Medium | 3 </CODE></PRE> <P>But the result i want is </P> <PRE><CODE>StatusCode | count(StatusCode) LOW | 5 Medium | 11 </CODE></PRE> <P>11 = 8+3 (i.e., I want all with value as medium to be in one row with the total number of count(*)</P> <P>Can anybody help me how to do this?</P> Tue, 05 Feb 2019 09:28:47 GMT rohanmiskin 2019-02-05T09:28:47Z How do I rename field values and add up the count(*) if the value is the same? https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445244#M126310 <P>How do I rename field values, and if the values are same, add up the corresponding count value?</P> <PRE><CODE>index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*" | stats count(StatusCode) AS NoOfFailures by StatusCode </CODE></PRE> <P>The result i get is </P> <PRE><CODE>StatusCode | count(StatusCode) 206 Partial Content | 5 400 Bad Request | 8 404 Not Found | 3 </CODE></PRE> <P>Then i add rename for the fields</P> <PRE><CODE>index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*" | stats count(StatusCode) AS NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures </CODE></PRE> <P>The result i get is</P> <PRE><CODE>StatusCode | count(StatusCode) LOW | 5 Medium | 8 Medium | 3 </CODE></PRE> <P>But the result i want is </P> <PRE><CODE>StatusCode | count(StatusCode) LOW | 5 Medium | 11 </CODE></PRE> <P>11 = 8+3 (i.e., I want all with value as medium to be in one row with the total number of count(*)</P> <P>Can anybody help me how to do this?</P> Tue, 05 Feb 2019 09:28:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445244#M126310 rohanmiskin 2019-02-05T09:28:47Z Re: How do I rename field values and add up the count(*) if the value is the same? https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445245#M126311 <P>Hi</P> <P>Try this <CODE>index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 " OR StatusCode="3" | eval statusSeverity = case(StatusCode=="404 Not Found", "Medium, StatusCode=="206 Partial Content", true(), "Unknown") | stats count by statusSeverity</CODE></P> Tue, 05 Feb 2019 09:50:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445245#M126311 chrisyounger 2019-02-05T09:50:00Z Re: How do I rename field values and add up the count(*) if the value is the same? https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445246#M126312 <P>hi @rohanmiskin </P> <P>try like this <CODE>index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 " OR StatusCode="3" | stats count(StatusCode) as NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures |stats sum(NoOfFailures) as NoofFailure by StatusCode</CODE></P> Tue, 05 Feb 2019 10:14:17 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445246#M126312 harishalipaka 2019-02-05T10:14:17Z Re: How do I rename field values and add up the count(*) if the value is the same? https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445247#M126313 <P>Yup, this works perfectly. Thank you.</P> Wed, 06 Feb 2019 11:29:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-rename-field-values-and-add-up-the-count-if-the-value/m-p/445247#M126313 rohanmiskin 2019-02-06T11:29:08Z