https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86757#M22129 <P>I've got a field named "User" which holds the names of all the users of our service. Some users have similar names and I'd like to group them together in search outputs.</P> <P>I'm creating a search to output the number of transactions by user. </P> <P>source=index | chart count by User | rename count as "Transaction Count"</P> <P><PRE><CODE><BR /> User | Transaction Count<BR /> ABC | 100<BR /> DEF | 300<BR /> GHI | 400<BR /> TEST | 5<BR /> TEST1 | 10<BR /> TEST12 | 20<BR /> TEST123 | 200<BR /> JKL | 300<BR /> MNO | 200<BR /> </CODE></PRE></P> <P>I'd like to group everything with "TEST" in the name together (they are the all the same user, but under similar userIDs), along with adding the values for each instance of "TEST" to create a new multivalue called "TEST" (see below).</P> <P><PRE><CODE><BR /> User | Transaction Count<BR /> ABC | 100<BR /> DEF | 300<BR /> GHI | 400<BR /> TEST | 235<BR /> JKL | 300<BR /> MNO | 200<BR /> </CODE></PRE> </P> <P>Can anybody help me? Thanks.</P> Thu, 11 Oct 2012 09:51:00 GMT watsm10 2012-10-11T09:51:00Z https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86757#M22129 <P>I've got a field named "User" which holds the names of all the users of our service. Some users have similar names and I'd like to group them together in search outputs.</P> <P>I'm creating a search to output the number of transactions by user. </P> <P>source=index | chart count by User | rename count as "Transaction Count"</P> <P><PRE><CODE><BR /> User | Transaction Count<BR /> ABC | 100<BR /> DEF | 300<BR /> GHI | 400<BR /> TEST | 5<BR /> TEST1 | 10<BR /> TEST12 | 20<BR /> TEST123 | 200<BR /> JKL | 300<BR /> MNO | 200<BR /> </CODE></PRE></P> <P>I'd like to group everything with "TEST" in the name together (they are the all the same user, but under similar userIDs), along with adding the values for each instance of "TEST" to create a new multivalue called "TEST" (see below).</P> <P><PRE><CODE><BR /> User | Transaction Count<BR /> ABC | 100<BR /> DEF | 300<BR /> GHI | 400<BR /> TEST | 235<BR /> JKL | 300<BR /> MNO | 200<BR /> </CODE></PRE> </P> <P>Can anybody help me? Thanks.</P> Thu, 11 Oct 2012 09:51:00 GMT https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86757#M22129 watsm10 2012-10-11T09:51:00Z https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86758#M22130 <P>If you don't care about keeping all the test accounts separate, I would use rex to rename them at search time. Something like this should work:</P> <P><PRE><CODE><BR /> | rex field=User mode=sed "s/(TEST).*/\1/" | chart count by User<BR /> </CODE></PRE></P> <P>This assumes that no legitimate user account will have the word TEST in it, so depending on your data you may have to tweak the regex a bit.</P> Thu, 11 Oct 2012 13:20:50 GMT https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86758#M22130 cphair 2012-10-11T13:20:50Z https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86759#M22131 <P>Thankyou so much!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 11 Oct 2012 14:07:53 GMT https://community.splunk.com/t5/Splunk-Search/Combining-Multivalues-together-inside-a-field/m-p/86759#M22131 watsm10 2012-10-11T14:07:53Z