https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219599#M64530 <P>Since Hiroshi beat me to it with eval, for completeness here is how you can do it with foreach </P> <PRE><CODE>sourcetype= mydata | stats count by status | foreach status [eval &lt;&lt;FIELD&gt;&gt; = if((&lt;&lt;FIELD&gt;&gt;=="FAIL" OR &lt;&lt;FIELD&gt;&gt;=="FAILURE"),"FAILED",&lt;&lt;FIELD&gt;&gt;) ] | stats sum(count) as count by status </CODE></PRE> <P>See: <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Foreach">http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Foreach</A></P> Thu, 05 Jan 2017 09:32:53 GMT jplumsdaine22 2017-01-05T09:32:53Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219597#M64528 <P>Hi All,</P> <P>Apologies if this is too simple question and has been asked 100 times, But i can't seem to find the answer I'm looking for..</P> <P>For the time being, I simply want to graph the number transaction status over time from a sourcetype which shows the following: "SUCCESS" "FAILED", "BLOCKED"...</P> <P>However, for failed transactions, the data is coming in with failed status= "FAIL" or "FAILURE".</P> <P>How can I make "FAILED = FAIL + FAILURE", and plot the status = SUCCESS &amp; status = BLOCKED along side it?</P> <P>I'm currently using the search: <BR /> sourcetype= mydata | stats count by status</P> <P>As per below:</P> <P>Cheers,</P> <P>Craig<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2292iCCF3EBB84488F6CB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 05 Jan 2017 04:38:23 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219597#M64528 craigwilkinson 2017-01-05T04:38:23Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219598#M64529 <P>Try this!</P> <P>sourcetype= mydata|eval status=if(status="FAIL" OR status="FAILER","FAILED",status) | stats count by status</P> Thu, 05 Jan 2017 09:22:53 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219598#M64529 HiroshiSatoh 2017-01-05T09:22:53Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219599#M64530 <P>Since Hiroshi beat me to it with eval, for completeness here is how you can do it with foreach </P> <PRE><CODE>sourcetype= mydata | stats count by status | foreach status [eval &lt;&lt;FIELD&gt;&gt; = if((&lt;&lt;FIELD&gt;&gt;=="FAIL" OR &lt;&lt;FIELD&gt;&gt;=="FAILURE"),"FAILED",&lt;&lt;FIELD&gt;&gt;) ] | stats sum(count) as count by status </CODE></PRE> <P>See: <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Foreach">http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Foreach</A></P> Thu, 05 Jan 2017 09:32:53 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219599#M64530 jplumsdaine22 2017-01-05T09:32:53Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219600#M64531 <P>Beat me to it!</P> Thu, 05 Jan 2017 09:33:27 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219600#M64531 jplumsdaine22 2017-01-05T09:33:27Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219601#M64532 <P>Awesome, thanks guys <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Jan 2017 23:27:51 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219601#M64532 craigwilkinson 2017-01-05T23:27:51Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219602#M64533 <P>Thanks for the reply mate.</P> <P>Interested to investigate this method a little further,</P> <P>When I run your command, it doesn't seem to return any results :s</P> Thu, 05 Jan 2017 23:31:45 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219602#M64533 craigwilkinson 2017-01-05T23:31:45Z https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219603#M64534 <P>interesting - it definately should!</P> <P>Here's a run anywhere example:</P> <PRE><CODE>|gentimes start=-1 | eval status="FAIL" | stats count by status | foreach status [eval &lt;&lt;FIELD&gt;&gt; = if((&lt;&lt;FIELD&gt;&gt;=="FAIL" OR &lt;&lt;FIELD&gt;&gt;=="FAILURE"),"FAILED",&lt;&lt;FIELD&gt;&gt;) ] | stats sum(count) as count by status </CODE></PRE> Fri, 06 Jan 2017 13:38:00 GMT https://community.splunk.com/t5/Splunk-Search/Aliasing-and-Graphing-events-at-search/m-p/219603#M64534 jplumsdaine22 2017-01-06T13:38:00Z