https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701994#M238079 <P>Replace&nbsp;searchmatch(text1_value,"Load Balancer") with&nbsp;searchmatch("text1_value=\"*Load Balancer*\""), and so on. &nbsp;BTW, rename is not needed for searchmatch because it accepts any syntax/shortcut that the search command accepts. (Like search, it also does case-insensitive match.) &nbsp;For example,</P><LI-CODE lang="markup">index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now | stats count(eval(searchmatch("text1.value=\"*Load Balancer*\""))) AS LoadBalancer count(eval(searchmatch("text1.value = \"*Endpoints*\""))) AS Endpoints</LI-CODE><P>&nbsp;</P> Tue, 15 Oct 2024 19:25:53 GMT yuanliu 2024-10-15T19:25:53Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701916#M238049 <P>HI,<BR /><BR />I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"&nbsp; which are&nbsp;Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day.&nbsp;<BR /><BR />Is this possible?<BR /><BR />index=monitor name="Manager - Error" text2.value="*Rerun"&nbsp;&nbsp;text1.value="*Load Balancer*" OR "*Endpoints*"<BR /><BR /><BR /></P> Tue, 15 Oct 2024 12:07:03 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701916#M238049 H2ck1ngPr13sT 2024-10-15T12:07:03Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701923#M238052 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271020">@H2ck1ngPr13sT</a>&nbsp;,</P><P>if you want your count for one day, you could use something like this:</P><LI-CODE lang="markup">index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now | rename text1.value AS text1_value | stats count(eval(searchmatch(text1_value,"Load Balancer"))) AS LoadBalancer count(eval(searchmatch(text1_value,"Endpoints"))) AS Endpoints</LI-CODE><P>if instead yu want the values for each day in the last 7 days, you could use something like this:</P><LI-CODE lang="markup">index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-17 latest=now | rename text1.value AS text1_value | eval type=if(searchmatch(text1_value,"Load Balancer"),"LoadBalancer", "Endpoints") | timechart span=1d count BY type</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 15 Oct 2024 12:18:12 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701923#M238052 gcusello 2024-10-15T12:18:12Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701975#M238076 <P>Unfortunately, I'm getting error: "<SPAN>Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid." I've tried both solutions.</SPAN></P> Tue, 15 Oct 2024 16:23:30 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701975#M238076 H2ck1ngPr13sT 2024-10-15T16:23:30Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701994#M238079 <P>Replace&nbsp;searchmatch(text1_value,"Load Balancer") with&nbsp;searchmatch("text1_value=\"*Load Balancer*\""), and so on. &nbsp;BTW, rename is not needed for searchmatch because it accepts any syntax/shortcut that the search command accepts. (Like search, it also does case-insensitive match.) &nbsp;For example,</P><LI-CODE lang="markup">index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now | stats count(eval(searchmatch("text1.value=\"*Load Balancer*\""))) AS LoadBalancer count(eval(searchmatch("text1.value = \"*Endpoints*\""))) AS Endpoints</LI-CODE><P>&nbsp;</P> Tue, 15 Oct 2024 19:25:53 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/701994#M238079 yuanliu 2024-10-15T19:25:53Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/702034#M238085 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271020">@H2ck1ngPr13sT</a>&nbsp;,</P><P>sorry I confused searchmatch with match, please use match function.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 16 Oct 2024 07:04:50 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-the-words-in-a-field/m-p/702034#M238085 gcusello 2024-10-16T07:04:50Z