https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555194#M157587 <P>For example, how would I make the following just "RHEL 8":&nbsp;</P><P>RHEL8<BR />RHEL 8<BR />rhel8<BR />rhel 8<BR />rhel 8.6<BR />Linux Server rel 8<BR /><BR />For example, how would I make the following just "Windows 10":<BR /><BR />&nbsp;Windows 10 Enterprise<BR />Windows 10<BR />Windows 10 enterprise<BR />Windows 10<BR />windows 10<BR />windows 10 20H2<BR />Windows 10 V2004<BR />windows 10 2004<BR /><BR />For example, how would I make the following just "Windows Server 2012":<BR /><BR />Windows 2012r2<BR />Windows Server 2012 R2<BR />Windows Server 2012<BR /><BR />Etc...<BR /><BR />Thanks</P> Wed, 09 Jun 2021 22:45:55 GMT UMDTERPS 2021-06-09T22:45:55Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555183#M157582 <P>Hi!&nbsp;<span class="lia-unicode-emoji" title=":man_office_worker:">👨‍💼</span></P><P><BR />I am a little stuck on how to normalize "Operating System" data I have.&nbsp; Currently, we have a field called "Operating System" our data looks something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">Operating System Windows 10 Enterprise Windows 10 Windows 10 enterprise Windows 10 windows 10 windows 10 20H2 Windows 10 V2004 windows 10 2004 Windows Server windows server RHEL8 RHEL 8 rhel8 rhel 8 rhel 8.6 Linux Server rel 8 Windows 2012r2 Windows Server 2012 R2 Windows Server 2012</LI-CODE><P>&nbsp;</P><P>After I did a stats count (because data isn't normalized) we have 170+ operating systems.&nbsp; What is the most efficient way to normalize data without writing 170+&nbsp; "replace" or "match" statements?<BR /><BR />For example, how would I make the following just "RHEL 8":&nbsp;</P><P>RHEL8<BR />RHEL 8<BR />rhel8<BR />rhel 8<BR />rhel 8.6<BR />Linux Server rel 8<BR /><BR />Thanks!</P> Wed, 09 Jun 2021 22:46:22 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555183#M157582 UMDTERPS 2021-06-09T22:46:22Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555188#M157584 <P>What do you mean by "normalize"? Do you want all the Windows * operating systems to be simply Windows, and all the rest to be *nix for example?</P> Wed, 09 Jun 2021 22:02:11 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555188#M157584 ITWhisperer 2021-06-09T22:02:11Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555194#M157587 <P>For example, how would I make the following just "RHEL 8":&nbsp;</P><P>RHEL8<BR />RHEL 8<BR />rhel8<BR />rhel 8<BR />rhel 8.6<BR />Linux Server rel 8<BR /><BR />For example, how would I make the following just "Windows 10":<BR /><BR />&nbsp;Windows 10 Enterprise<BR />Windows 10<BR />Windows 10 enterprise<BR />Windows 10<BR />windows 10<BR />windows 10 20H2<BR />Windows 10 V2004<BR />windows 10 2004<BR /><BR />For example, how would I make the following just "Windows Server 2012":<BR /><BR />Windows 2012r2<BR />Windows Server 2012 R2<BR />Windows Server 2012<BR /><BR />Etc...<BR /><BR />Thanks</P> Wed, 09 Jun 2021 22:45:55 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555194#M157587 UMDTERPS 2021-06-09T22:45:55Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555198#M157589 <LI-CODE lang="markup">| eval os=case(match(os,"(?i)rhel\s*8[\d\.]*"),"RHEL 8",match(os,"Linux Server rel 8"),"RHEL 8",match(os,"(?i)\s*windows\s10.*"),"Windows 10",match(os,"Windows (|Server )2012.*"),"Windows Server 2012",1==1,os)</LI-CODE><P>and so on</P> Wed, 09 Jun 2021 22:54:06 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555198#M157589 ITWhisperer 2021-06-09T22:54:06Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555321#M157636 <P>Doesn't seem to be working. For example, the field we have for OS is called "Operating System" and there is one entry that is "RHEL 8."&nbsp; The following SPL,&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">|eval "os"=case(match("os","RHEL 8"),"RHEL 8") |fields ip "system" os</LI-CODE><P>&nbsp;</P><P><BR />The search runs, no errors, but the search returns&nbsp; nothing for "os:"<BR /><BR />IP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;system&nbsp; &nbsp; os<BR />192.168.1.1&nbsp; &nbsp; &nbsp; ABC&nbsp;<BR /><BR />"os" is blank, any ideas?<BR /><BR />Thanks!</P> Thu, 10 Jun 2021 14:54:42 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555321#M157636 UMDTERPS 2021-06-10T14:54:42Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555323#M157637 <P>If your field name has spaces in you need to enclose it is single quotes not double quotes.</P> Thu, 10 Jun 2021 14:57:44 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555323#M157637 ITWhisperer 2021-06-10T14:57:44Z https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555367#M157644 <P>Ahh Yes! Thanks!&nbsp; It works now!&nbsp; Karma Granted!</P> Thu, 10 Jun 2021 18:51:59 GMT https://community.splunk.com/t5/Splunk-Search/How-normalize-field-values-that-have-slightly-different-field/m-p/555367#M157644 UMDTERPS 2021-06-10T18:51:59Z