topic How to write a stats count search for events based on common (but variable) names? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192106#M55254 <P>I have a log file that lists which tool created the alert. I would like to count alerts by tool name, but I want to combine certain tool counts based on commonalities that I specify.</P> <P>For example:</P> <PRE><CODE>index=logs | stats count by Tools McAfee Basic 12 Extreme McAfee 34 Plat McAfee Plus 6 Xerox IDS Base 1 Stumble IDS Plus 8 Microsoft X IDS 40 </CODE></PRE> <P>I would prefer to count based on tools having the word "McAfee" or "IDS" in them (so that they're grouped)</P> <PRE><CODE>index=logs | some UNKNOWN QUERY McAfee 52 IDS 49 </CODE></PRE> Mon, 03 Nov 2014 21:19:07 GMT DEAD_BEEF 2014-11-03T21:19:07Z How to write a stats count search for events based on common (but variable) names? https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192106#M55254 <P>I have a log file that lists which tool created the alert. I would like to count alerts by tool name, but I want to combine certain tool counts based on commonalities that I specify.</P> <P>For example:</P> <PRE><CODE>index=logs | stats count by Tools McAfee Basic 12 Extreme McAfee 34 Plat McAfee Plus 6 Xerox IDS Base 1 Stumble IDS Plus 8 Microsoft X IDS 40 </CODE></PRE> <P>I would prefer to count based on tools having the word "McAfee" or "IDS" in them (so that they're grouped)</P> <PRE><CODE>index=logs | some UNKNOWN QUERY McAfee 52 IDS 49 </CODE></PRE> Mon, 03 Nov 2014 21:19:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192106#M55254 DEAD_BEEF 2014-11-03T21:19:07Z Re: How to write a stats count search for events based on common (but variable) names? https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192107#M55255 <P>Try this:</P> <PRE><CODE>index=logs | stats count(eval(searchmatch("McAfee"))) as McAfee count(eval(searchmatch("IDS"))) as IDS </CODE></PRE> Mon, 03 Nov 2014 21:38:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192107#M55255 wpreston 2014-11-03T21:38:14Z Re: How to write a stats count search for events based on common (but variable) names? https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192108#M55256 <P>Try this</P> <PRE><CODE>index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS </CODE></PRE> Mon, 03 Nov 2014 21:50:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-stats-count-search-for-events-based-on-common-but/m-p/192108#M55256 somesoni2 2014-11-03T21:50:41Z