https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320070#M163497 <P>Query which I had provided was generating dummy data so you do not require first 4 lines from my query . Now based on query you have provided, you are not capturing regex output in any field, try something like this (But I am bit surprised that in chart command you are not using field <CODE>ROBOT</CODE> then how can you use <CODE>ROBOT</CODE> field in rex command after chart command ??</P> <PRE><CODE>| rex field=ROBOT "(?&lt;extracted_field&gt;(0\d+))" | eval extracted_field="Robot"." ".extracted_field | chart count(IDEVENT) as ERROR_QTY, values(extracted_field) as extracted_field by ERROR_DESC | sort ERROR_QTY DESC LIMIT=10 </CODE></PRE> <P>In above query 001, 002, 003 ... will store into new field called <CODE>extracted_field</CODE> and after that we are concatenating <CODE>Robot</CODE> with output value in that field. </P> <P>EDIT: Updated query.</P> Fri, 19 Jan 2018 04:42:03 GMT harsmarvania57 2018-01-19T04:42:03Z https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320067#M163494 <P>Hi Guys!</P> <P>I am creating a table with number of errors per robot. The field values of these robots are "IGH2001", "IGH2002" and "IGH2003".<BR /> I used a rex command and was able to extract the last 3 digits which are 001, 002 and 003.</P> <P>Now, I wanted to add "Robot" in front of the 3 digits to have field values of Robot 001 Robot 002 Robot 003.<BR /> How can I do that?</P> <P>Thank you!</P> Fri, 19 Jan 2018 03:54:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320067#M163494 auaave 2018-01-19T03:54:17Z https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320068#M163495 <P>Hi @auaave,</P> <P>Can you please try something like this, first 4 lines used to generate dummy data only.</P> <PRE><CODE>| makeresults | eval field1="001" | append [ | makeresults | eval field1="002"] | append [ | makeresults | eval field1="003"] | eval newfield="Robot"." ".field1 </CODE></PRE> Fri, 19 Jan 2018 04:04:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320068#M163495 harsmarvania57 2018-01-19T04:04:47Z https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320069#M163496 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163905">@harsmarvania57</a>, thanks for your reply! Based on your input, I have written the code as per below. However, I am having this error "Error in 'makeresults' command: This command must be the first command of a search. "</P> <P>| chart count(IDEVENT) as ERROR_QTY by ERROR_DESC <BR /> | rex field=ROBOT "(?(0\d+))" <BR /> | makeresults <BR /> | eval field1="001" <BR /> | append <BR /> [| makeresults <BR /> | eval field1="002"] <BR /> | append <BR /> [| makeresults <BR /> | eval field1="003"] <BR /> | eval newfield="Robot"." ".field1 <BR /> | sort ERROR_QTY DESC LIMIT=10</P> Tue, 29 Sep 2020 17:45:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320069#M163496 auaave 2020-09-29T17:45:05Z https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320070#M163497 <P>Query which I had provided was generating dummy data so you do not require first 4 lines from my query . Now based on query you have provided, you are not capturing regex output in any field, try something like this (But I am bit surprised that in chart command you are not using field <CODE>ROBOT</CODE> then how can you use <CODE>ROBOT</CODE> field in rex command after chart command ??</P> <PRE><CODE>| rex field=ROBOT "(?&lt;extracted_field&gt;(0\d+))" | eval extracted_field="Robot"." ".extracted_field | chart count(IDEVENT) as ERROR_QTY, values(extracted_field) as extracted_field by ERROR_DESC | sort ERROR_QTY DESC LIMIT=10 </CODE></PRE> <P>In above query 001, 002, 003 ... will store into new field called <CODE>extracted_field</CODE> and after that we are concatenating <CODE>Robot</CODE> with output value in that field. </P> <P>EDIT: Updated query.</P> Fri, 19 Jan 2018 04:42:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320070#M163497 harsmarvania57 2018-01-19T04:42:03Z https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320071#M163498 <P>@harsmarvia57, thanks a lot! the last one worked!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 19 Jan 2018 05:13:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320071#M163498 auaave 2018-01-19T05:13:49Z https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320072#M163499 <P>You're welcome.</P> Fri, 19 Jan 2018 05:54:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-string-on-a-field-value/m-p/320072#M163499 harsmarvania57 2018-01-19T05:54:36Z