https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525007#M148111 <P>The problem with made up data is it can be difficult to give a useful answer.</P><UL><LI>Is tags a single field?</LI><LI>Is class always followed by a colon and 3 numbers?</LI><LI>Is class always at the end if the tags string?</LI></UL><P>However, given the example, try</P><LI-CODE lang="markup">sourcetype="my-data" | rex field=tags "(?&lt;class&gt;class:\d+)" | stats count by class</LI-CODE> Fri, 16 Oct 2020 07:18:46 GMT ITWhisperer 2020-10-16T07:18:46Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/524996#M148109 <P>Hello everyone,</P><P>I have my fields like below,</P><TABLE width="378px"><TBODY><TR><TD width="125px" height="25px">indicator</TD><TD width="252px" height="25px">tags</TD></TR><TR><TD width="125px" height="25px">indicator 1</TD><TD width="252px" height="25px">tag 1,class:234</TD></TR><TR><TD width="125px" height="25px">indicator 2</TD><TD width="252px" height="25px">tagg,class:456</TD></TR></TBODY></TABLE><P>I have to group my fields based on tags starting with class, and my query is like below,</P><P>sourcetype="my-data" |stats count by tags|where tags="class*"</P><P>But I am getting 0 results, as where class is taking only exact values and not "class*"</P><P>I want my result as below,</P><P>class:234 1</P><P>class:456 1</P><P>Kindly suggest.</P> Fri, 16 Oct 2020 05:49:25 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/524996#M148109 Janani_Krish 2020-10-16T05:49:25Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525005#M148110 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223190">@Janani_Krish</a>,</P><P>if the structure of your tags is always "xxx,value" you could use a regex to extract the value after comma, something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">sourcetype="my-data" | stats count by tags | rex field=tags "^[^,]*,(?&lt;tags&gt;.*)" | search tags="class*"</LI-CODE><P>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Oct 2020 07:14:12 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525005#M148110 gcusello 2020-10-16T07:14:12Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525007#M148111 <P>The problem with made up data is it can be difficult to give a useful answer.</P><UL><LI>Is tags a single field?</LI><LI>Is class always followed by a colon and 3 numbers?</LI><LI>Is class always at the end if the tags string?</LI></UL><P>However, given the example, try</P><LI-CODE lang="markup">sourcetype="my-data" | rex field=tags "(?&lt;class&gt;class:\d+)" | stats count by class</LI-CODE> Fri, 16 Oct 2020 07:18:46 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525007#M148111 ITWhisperer 2020-10-16T07:18:46Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525010#M148112 <P>Try</P><LI-CODE lang="markup">|where tags like "%class%"</LI-CODE> Fri, 16 Oct 2020 07:25:52 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525010#M148112 renjith_nair 2020-10-16T07:25:52Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525020#M148115 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136781">@renjith_nair</a>&nbsp; this works. But If I am using this with timechart it is not working.</P><P>sourcetype="my-data" |timechart span=4h count by tags|where tags like "%class%"</P><P>Can you suggest.</P> Fri, 16 Oct 2020 08:41:10 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525020#M148115 Janani_Krish 2020-10-16T08:41:10Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525021#M148116 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>Thank you for the suggestion. But my structure varies,,it is not always followed by comma.</P> Fri, 16 Oct 2020 08:43:19 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525021#M148116 Janani_Krish 2020-10-16T08:43:19Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525022#M148117 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223190">@Janani_Krish</a>,</P><P>You should try (if possible) to identify all the rules of your tags field and write all the possible regexes to extract the tags you want.</P><P>There'a also anothe choice, if the list of tags isn't lo long and it's manageable, you could put the tags in a lookup and use this lookup to match the events with a tag.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Oct 2020 08:52:15 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525022#M148117 gcusello 2020-10-16T08:52:15Z https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525023#M148118 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>Thanks for the reply,</P><P>1.No tags contain multiple fields or single field depending upon the log.</P><P>2.No class doesnt have any pattern.</P><P>3.No class can be anywhere in tags.</P><P>Rex command works well with timechart and stats command as well.</P> Fri, 16 Oct 2020 08:52:18 GMT https://community.splunk.com/t5/Splunk-Search/where-in-stats-command/m-p/525023#M148118 Janani_Krish 2020-10-16T08:52:18Z