https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680534#M232604 <P>thank you - this hasn't worked .. I'm still getting all 158 problem details although now renamed as problem_classification&nbsp;</P><P>but i think i understand that logic and will play around with it.&nbsp;</P><P>&nbsp;</P> Wed, 13 Mar 2024 12:33:40 GMT PaulaCom 2024-03-13T12:33:40Z https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680505#M232592 <P>Good Morning&nbsp;</P> <P>i have a field that i've called problem_detail in our Helpdesk index. it contains all the types of problems that are logged to us. i would like to only merge those that are associated with email queries together. there are about 15 different ones.&nbsp;</P> <LI-CODE lang="markup">index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json | dedup id | fillnull value=NULL | search "problemtype.detailDisplayName"!=*AGRESSO* | eval problem_detail='problemtype.detailDisplayName' | eval problem_detail=replace(problem_detail, "&amp;#8226","") | eval problem_detail=replace(problem_detail, ";","|") | eval techGroupLevel = 'techGroupLevel.levelName' | eval techGroupLevel = replace(techGroupLevel, "&amp;nbsp;"," ") | eval techGroupLevel = replace(techGroupLevel, " ","") | eval techGroupLevel = replace(techGroupLevel, "Level"," Level") | eval location_Name = 'location.locationName' | eval status = 'statustype.statusTypeName' | eval priority = 'prioritytype.priorityTypeName' | eval techGroupId = 'techGroupLevel.id' | eval tech_Name = 'clientTech.displayName' | stats count by problem_detail</LI-CODE> <P>this spl is giving me the full list of 158 problem details and from there i can see around 15 of these relate to email.&nbsp;</P> <P>Is there away i can combine the totals from all the problem_details that contain 'email' together.&nbsp;</P> <P>i tried eval and then coalesce but it didnt work ..:(&nbsp;</P> <P>&nbsp;</P> <P>thank you&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 13 Mar 2024 09:47:32 GMT https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680505#M232592 PaulaCom 2024-03-13T09:47:32Z https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680511#M232594 <P>Try something like this</P><LI-CODE lang="markup">index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json | dedup id | fillnull value=NULL | search "problemtype.detailDisplayName"!=*AGRESSO* | eval problem_detail='problemtype.detailDisplayName' | eval problem_detail=replace(problem_detail, "&amp;#8226","") | eval problem_detail=replace(problem_detail, ";","|") | eval techGroupLevel = 'techGroupLevel.levelName' | eval techGroupLevel = replace(techGroupLevel, "&amp;nbsp;"," ") | eval techGroupLevel = replace(techGroupLevel, " ","") | eval techGroupLevel = replace(techGroupLevel, "Level"," Level") | eval location_Name = 'location.locationName' | eval status = 'statustype.statusTypeName' | eval priority = 'prioritytype.priorityTypeName' | eval techGroupId = 'techGroupLevel.id' | eval tech_Name = 'clientTech.displayName' | eval problem_classification=if(match(problem_detail,".*email.*"), "email problem", problem_detail) | stats count by problem_classification</LI-CODE> Wed, 13 Mar 2024 09:36:07 GMT https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680511#M232594 ITWhisperer 2024-03-13T09:36:07Z https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680534#M232604 <P>thank you - this hasn't worked .. I'm still getting all 158 problem details although now renamed as problem_classification&nbsp;</P><P>but i think i understand that logic and will play around with it.&nbsp;</P><P>&nbsp;</P> Wed, 13 Mar 2024 12:33:40 GMT https://community.splunk.com/t5/Splunk-Search/Merge-numberous-data-in-a-field/m-p/680534#M232604 PaulaCom 2024-03-13T12:33:40Z