https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504845#M140994 <P>You can normalize the url with regular expression, but you will need to account for all of your use cases.&nbsp; Here's an example regex based on the examples you provided:<BR /><BR /></P><LI-CODE lang="python">| rex mode=sed field=URL "s/\/(customer|savedsearch)\/[^\e\/]+/\/\1\//g"</LI-CODE><P>&nbsp;</P><P>Here's a run anywhere example that shows how it works:</P><LI-CODE lang="python">| makeresults | eval URL="/login/ /login/ /api/customer/5542-a44/data /api/customer/5c77-59w/data /api/customer/7a88-134/data /weather/forecast/ /api/savedsearch/7775 /api/savedsearch/4788 /new/use" | makemv URL tokenizer="(?&lt;URL&gt;[^\n]+)" | mvexpand URL | rex mode=sed field=URL "s/\/(customer|savedsearch)\/[^\e\/]+/\/\1\//g" | stats count by URL</LI-CODE> Wed, 17 Jun 2020 17:46:09 GMT dmarling 2020-06-17T17:46:09Z https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504834#M140992 <P>I have a search that returns events with many different URLs</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=test URL=*</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I want to obtain a count of events per URL</P><P>However some of the URLs are slightly different so I want to group them together</P><P>Example of my URL values</P><P>/login/<BR />/login/<BR />/api/customer/5542-a44/data<BR />/api/customer/5c77-59w/data<BR />/api/customer/7a88-134/data<BR />/weather/forecast/<BR />/api/savedseach/7775<BR />/api/savedseach/4788<BR />/new/user</P><P>What I would like to end up with</P><TABLE border="1" width="100%"><TBODY><TR><TD>URL</TD><TD>COUNT</TD></TR><TR><TD width="50%" height="25px">/login/</TD><TD width="50%" height="25px">2</TD></TR><TR><TD width="50%" height="25px">/api/customer//data</TD><TD width="50%" height="25px">3</TD></TR><TR><TD width="50%" height="25px"><P>/weather/forecast/</P></TD><TD width="50%" height="25px">1</TD></TR><TR><TD><P>/api/savedseach/</P></TD><TD>2</TD></TR><TR><TD><P>/new/user</P></TD><TD>1</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Im using | stats count by URL<BR />However as mentioned above my issue is with the URLs that have ids or guids in them</P> Wed, 17 Jun 2020 17:07:21 GMT https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504834#M140992 gerard11 2020-06-17T17:07:21Z https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504845#M140994 <P>You can normalize the url with regular expression, but you will need to account for all of your use cases.&nbsp; Here's an example regex based on the examples you provided:<BR /><BR /></P><LI-CODE lang="python">| rex mode=sed field=URL "s/\/(customer|savedsearch)\/[^\e\/]+/\/\1\//g"</LI-CODE><P>&nbsp;</P><P>Here's a run anywhere example that shows how it works:</P><LI-CODE lang="python">| makeresults | eval URL="/login/ /login/ /api/customer/5542-a44/data /api/customer/5c77-59w/data /api/customer/7a88-134/data /weather/forecast/ /api/savedsearch/7775 /api/savedsearch/4788 /new/use" | makemv URL tokenizer="(?&lt;URL&gt;[^\n]+)" | mvexpand URL | rex mode=sed field=URL "s/\/(customer|savedsearch)\/[^\e\/]+/\/\1\//g" | stats count by URL</LI-CODE> Wed, 17 Jun 2020 17:46:09 GMT https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504845#M140994 dmarling 2020-06-17T17:46:09Z https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504847#M141004 <P>This is exactly what I was looking for, thank you.</P> Wed, 17 Jun 2020 18:14:35 GMT https://community.splunk.com/t5/Splunk-Search/group-certain-URLs/m-p/504847#M141004 gerard11 2020-06-17T18:14:35Z