https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674430#M230858 <P><BR />Hi experts,&nbsp;I want to just combine these location sites - "HU1","IA2","IB0 and create new <STRONG>AM</STRONG> site.</P><P>I tried this query, it works but it shows only new site. How to see&nbsp;the all original sites along with the new site in location field?<BR />|search location IN ("HU1","IA2","IB0")<BR />|eval row=if(location IN ("HU1","IA2","IB0"),"AM",location)<BR />|stats c by row.</P><P>How to solve any idea?&nbsp;</P> Tue, 16 Jan 2024 19:49:51 GMT Muthu_Vinith 2024-01-16T19:49:51Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674430#M230858 <P><BR />Hi experts,&nbsp;I want to just combine these location sites - "HU1","IA2","IB0 and create new <STRONG>AM</STRONG> site.</P><P>I tried this query, it works but it shows only new site. How to see&nbsp;the all original sites along with the new site in location field?<BR />|search location IN ("HU1","IA2","IB0")<BR />|eval row=if(location IN ("HU1","IA2","IB0"),"AM",location)<BR />|stats c by row.</P><P>How to solve any idea?&nbsp;</P> Tue, 16 Jan 2024 19:49:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674430#M230858 Muthu_Vinith 2024-01-16T19:49:51Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674433#M230860 <P>When describing a problem, make sure to use consistent terms and explain new terms as you introduce them. &nbsp;I assume that "original sites" means <SPAN>"HU1","IA2", and "IB0". &nbsp;Is this correct?&nbsp;</SPAN>&nbsp;The search logic seems opposite to what you are looking for. &nbsp;Try this:</P><LI-CODE lang="markup">|search location IN ("HU1","IA2","IB0") |eval row=if(location IN ("HU1","IA2","IB0"),location,"AM") |stats c by row.</LI-CODE><P>&nbsp;</P> Tue, 16 Jan 2024 19:59:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674433#M230860 yuanliu 2024-01-16T19:59:06Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674436#M230861 <P><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;Let's assume for example&nbsp;</SPAN>in my data I'm having loction sites - AB,AC,AD,AF. I want new location that is <STRONG>AM.<SPAN>&nbsp;</SPAN></STRONG>Where<STRONG><SPAN>&nbsp;</SPAN>AM&nbsp;</STRONG>location should be the combination of (AB,AC,AD,AF)</P><P>Like this i need:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Muthu_Vinith_0-1705436049444.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28958i5C33A699B0AA4004/image-size/medium?v=v2&amp;px=400" role="button" title="Muthu_Vinith_0-1705436049444.png" alt="Muthu_Vinith_0-1705436049444.png" /></span></P><P>I tried this query as you mentioned earlier, but it doesn't work.</P> Tue, 16 Jan 2024 20:22:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674436#M230861 Muthu_Vinith 2024-01-16T20:22:41Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674450#M230864 <BLOCKQUOTE><HR />location that is <STRONG>AM.<SPAN>&nbsp;</SPAN></STRONG>Where<STRONG><SPAN>&nbsp;</SPAN>AM&nbsp;</STRONG>location should be the combination of (AB,AC,AD,AF)<P>Like this i need:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Muthu_Vinith_0-1705436049444.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28958i5C33A699B0AA4004/image-size/medium?v=v2&amp;px=400" role="button" title="Muthu_Vinith_0-1705436049444.png" alt="Muthu_Vinith_0-1705436049444.png" /></span></P><HR /></BLOCKQUOTE><P>First, "the combination of (AB,AC,AD,AF)" is NOT "AM" in your illustration. &nbsp;The illustration is the opposite of what you described. (Also, please use text table instead of screenshot.)</P><P>Second, for your initial question, I notice that you filter for <SPAN>"HU1","IA2","IB0". &nbsp;Of course you will only get whatever definition you give for these three. &nbsp;I think what you wanted is</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">``` |search location IN ("HU1","IA2","IB0")``` ``` ^^^ no filtering ``` |eval row=if(location IN ("HU1","IA2","IB0"),location,"AM") |stats c by row</LI-CODE><P>&nbsp;</P><P>But back to your new example. &nbsp;Here is an emulation</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults format=csv data="Location AB AC AD AE AF AG AH" ``` data emulation above ``` | eval "New Location" = if(Location IN ("AB","AC","AD","AE","AF"),Location,"AM")</LI-CODE><P>&nbsp;</P><TABLE><TBODY><TR><TD>Location</TD><TD>New Location</TD></TR><TR><TD>AB</TD><TD>AB</TD></TR><TR><TD>AC</TD><TD>AC</TD></TR><TR><TD>AD</TD><TD>AD</TD></TR><TR><TD>AE</TD><TD>AE</TD></TR><TR><TD>AF</TD><TD>AF</TD></TR><TR><TD>AG</TD><TD>AM</TD></TR><TR><TD>AH</TD><TD>AM</TD></TR></TBODY></TABLE><P>Is this what you illustrated?</P> Wed, 17 Jan 2024 04:12:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-field-values/m-p/674450#M230864 yuanliu 2024-01-17T04:12:49Z