https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311451#M161514 <P>That is neat, I wasn't aware of the multireport function. I had trouble getting the eval case statement working so I ended up using sed on the "instance" field for the values of the apps I was after.</P> <P>| search someStuffHere<BR /> | rex field=instance mode=sed "s/^chrome(!?.<EM>)/Chrome/g" <BR /> | rex field=instance mode=sed "s/^iexplore(!?.</EM>)/InternetExplorer/g" <BR /> | rex field=instance mode=sed "s/^EXCEL(!?.*)/Excel/g" </P> <P>| timechart avg(%_Processor_Time) AS "Avg. % Processor Time" BY instance</P> <P>Regex example <A href="https://regex101.com/r/2diOwz/5" target="_blank">https://regex101.com/r/2diOwz/5</A><BR /> instance=chrome %_Processor_Time=17.8<BR /> instance=chrome#32 %_Processor_Time=3.5<BR /> instance=chrome#2 %_Processor_Time=40.0<BR /> instance=chrome#543 %_Processor_Time=0.0</P> Tue, 29 Sep 2020 13:37:52 GMT shawngarrettsgp 2020-09-29T13:37:52Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311449#M161512 <P>So I have CPU data from template for Citrix XenApp addon gathering CPU metrics. Each line on the graph is populated from two fields </P> <UL> <LI><STRONG>%_Processor_Time</STRONG> (0-100 value)</LI> <LI><STRONG>instance</STRONG> (name of the processes chrome#1,chrome#2,iexplore#13, etc.)</LI> </UL> <P><A href="https://answers.splunk.com/answers/111418/merge-timechart-column.html" target="_blank">Referencing this method</A> its a similar goal but the fields are not as straight forward merging counts of two values. I'm trying to do something similar with the eval I essentially want to do with wildcards be able to lump all the processor stats for a given application into a single field to report on. So in the example below instead of having an average for each instance name I want to do something like the illustrated below.<BR /> <IMG src="https://community.splunk.com/storage/temp/192192-processescombined.png" alt="alt text" /></P> <P>| eval source=if(source=="chrome*","chromeTotal",source)</P> Tue, 29 Sep 2020 13:32:58 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311449#M161512 shawngarrettsgp 2020-09-29T13:32:58Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311450#M161513 <P>Your solution should work to do JUST the totals so I am assuming that you are asking how to do BOTH. To do BOTH, do this:</P> <PRE><CODE>Your original search here | eval source=case(match(source, "^chrome"), "chromeTotal", match(source, "^iexplore*"), "ieTotal", true(), source) | multireport [ timechart avg(%_Processor_Time) BY instance ] [ timechart avg(%_Processor_Time) BY source] | stats values(*) AS * BY _time </CODE></PRE> Wed, 05 Apr 2017 19:25:19 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311450#M161513 woodcock 2017-04-05T19:25:19Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311451#M161514 <P>That is neat, I wasn't aware of the multireport function. I had trouble getting the eval case statement working so I ended up using sed on the "instance" field for the values of the apps I was after.</P> <P>| search someStuffHere<BR /> | rex field=instance mode=sed "s/^chrome(!?.<EM>)/Chrome/g" <BR /> | rex field=instance mode=sed "s/^iexplore(!?.</EM>)/InternetExplorer/g" <BR /> | rex field=instance mode=sed "s/^EXCEL(!?.*)/Excel/g" </P> <P>| timechart avg(%_Processor_Time) AS "Avg. % Processor Time" BY instance</P> <P>Regex example <A href="https://regex101.com/r/2diOwz/5" target="_blank">https://regex101.com/r/2diOwz/5</A><BR /> instance=chrome %_Processor_Time=17.8<BR /> instance=chrome#32 %_Processor_Time=3.5<BR /> instance=chrome#2 %_Processor_Time=40.0<BR /> instance=chrome#543 %_Processor_Time=0.0</P> Tue, 29 Sep 2020 13:37:52 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311451#M161514 shawngarrettsgp 2020-09-29T13:37:52Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311452#M161515 <P>Ultimately used sed for the apps I was interested in on the field name "instance"<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2721iF90EDD593769EF2A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> </P> <PRE><CODE>search stuffGoesHere | rex field=instance mode=sed "s/^chrome(!?.*)/Chrome/g" | rex field=instance mode=sed "s/^iexplore(!?.*)/InternetExplorer/g" | rex field=instance mode=sed "s/^EXCEL(!?.*)/Excel/g" | timechart avg(%_Processor_Time) AS "Avg. % Processor Time" BY instance </CODE></PRE> Mon, 10 Apr 2017 18:27:58 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311452#M161515 shawngarrettsgp 2017-04-10T18:27:58Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311453#M161516 <P>Thanks for posting your solution. Please "accept" your answer to show the problem is solved, and upvote any other answers you found particularly helpful.</P> Mon, 10 Apr 2017 21:41:53 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-CPU-percentage-instances-to-a-single-instance/m-p/311453#M161516 DalJeanis 2017-04-10T21:41:53Z