https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434822#M168384 <P>Hi,</P> <P>You can also use field aliases in this case, refer the below link for more info and let me know if it works for you.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Addaliasestofields">https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Addaliasestofields</A></P> Wed, 11 Jul 2018 11:33:41 GMT manish_singh_77 2018-07-11T11:33:41Z https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434819#M168381 <P>Hi,</P> <P>I'm trying to combine results of varying operating systems into one, for example:</P> <P>Microsoft Windows Server 2008<BR /> Microsoft Windows Server 2008r2<BR /> Microsoft Windows Server 2012</P> <P>All to be listed as</P> <P>Windows Server</P> <P>Does anyone know I may do this? I tried this but wouldn't work:</P> <P>...chart count(signature) by operating-system | eval sort_field=case(operating-system=="Microsoft Windows*",Windows Server)</P> Wed, 11 Jul 2018 10:03:44 GMT https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434819#M168381 Grant007701 2018-07-11T10:03:44Z https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434820#M168382 <P>Three problems with your <CODE>eval</CODE>:</P> <OL> <LI><CODE>operating-system</CODE> would subtract <CODE>system</CODE> from <CODE>operating</CODE> - use single quotes to enclose non-standard field names.</LI> <LI><CODE>=="Microsoft Windows*</CODE> looks for literal equality, use <CODE>match()</CODE> to allow regex-based matches.</LI> <LI><CODE>Windows Server</CODE> should throw syntax errors, enclose strings in double quotes.</LI> </OL> Wed, 11 Jul 2018 10:36:26 GMT https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434820#M168382 martin_mueller 2018-07-11T10:36:26Z https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434821#M168383 <P>Thanks for this.</P> <P>Still struggling though, I have changed to the following:</P> <P>...chart count(signature) by operating-system | eval sort_field=case('operating-system'=match('operating-system',"Microsoft*","Windows Server",0))</P> <P>The arguments to the 'match' function are invalid.</P> Wed, 11 Jul 2018 11:15:50 GMT https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434821#M168383 Grant007701 2018-07-11T11:15:50Z https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434822#M168384 <P>Hi,</P> <P>You can also use field aliases in this case, refer the below link for more info and let me know if it works for you.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Addaliasestofields">https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Addaliasestofields</A></P> Wed, 11 Jul 2018 11:33:41 GMT https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434822#M168384 manish_singh_77 2018-07-11T11:33:41Z https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434823#M168385 <P>See docs on <CODE>match()</CODE>, it only takes two parameters: <A href="http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/ConditionalFunctions#match.28SUBJECT.2C_.22REGEX.22.29">http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/ConditionalFunctions#match.28SUBJECT.2C_.22REGEX.22.29</A></P> Wed, 11 Jul 2018 12:06:13 GMT https://community.splunk.com/t5/Splunk-Search/Combining-field-names-into-one-new-result-name/m-p/434823#M168385 martin_mueller 2018-07-11T12:06:13Z