https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343072#M160750 <P>Like this:</P> <PRE><CODE>| makeresults | eval x="183512 217654 217655 217656 217657 224808 263806 263807 263808 263809 263810 263811 279992 279996 314724" | makemv x | mvexpand x | rename COMMENT AS "Everything above creates test event data; everything below is your solution" | rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g s/^\d+$/group2/g" | stats count by x </CODE></PRE> Mon, 12 Jun 2017 02:40:44 GMT woodcock 2017-06-12T02:40:44Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343070#M160748 <P>Hi,<BR /> In my search results i have numbers like this and i would like to group them by group1 and group2.<BR /> Where group1 =263806,263807,263808,263809,263810,263811<BR /> and rest numbers should be group2</P> <P>So i have used the below expression, i see group1 but group2 is not working properly</P> <P>| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g" | rex mode=sed field=x "s/([^(26380[6-9]]$|[^26381[0-1]]$)/group2/g" | stats count by x</P> <P>183512<BR /><BR /> 217654<BR /><BR /> 217655<BR /><BR /> 217656<BR /><BR /> 217657<BR /><BR /> 224808<BR /><BR /> 263806<BR /><BR /> 263807<BR /><BR /> 263808<BR /><BR /> 263809<BR /><BR /> 263810<BR /><BR /> 263811<BR /><BR /> 279992<BR /><BR /> 279996<BR /> 314724 </P> Sun, 11 Jun 2017 00:03:40 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343070#M160748 xvxt006 2017-06-11T00:03:40Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343071#M160749 <P>You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:</P> <PRE><CODE>| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g" | rex mode=sed field=x "s/\d+/group2/g" | stats count by x </CODE></PRE> <P>The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.</P> Sun, 11 Jun 2017 00:36:54 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343071#M160749 yuanliu 2017-06-11T00:36:54Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343072#M160750 <P>Like this:</P> <PRE><CODE>| makeresults | eval x="183512 217654 217655 217656 217657 224808 263806 263807 263808 263809 263810 263811 279992 279996 314724" | makemv x | mvexpand x | rename COMMENT AS "Everything above creates test event data; everything below is your solution" | rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g s/^\d+$/group2/g" | stats count by x </CODE></PRE> Mon, 12 Jun 2017 02:40:44 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-name/m-p/343072#M160750 woodcock 2017-06-12T02:40:44Z