https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249933#M74590 <P>Thanks for that! It works, however it is not picking up URLS like this one - <STRONG>storage.us1.hightail.com</STRONG>. As that URL is made up of 4 parts and not 3 I suppose? </P> Fri, 02 Oct 2015 01:12:48 GMT bushrangerjones 2015-10-02T01:12:48Z https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249931#M74588 <P>Hi, </P> <P>I am trying to group (bring together) the results by a keyword in a certain field. For example, I want to group all of the URLs that include "Hightail". As you can see from the screenshot I have several <EM>Hightail</EM> URLs. I want to group them all together, and turn the results in to a dashboard. Would this be possible? </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/698iB44B065F6E2D3E7D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Current query:</P> <PRE><CODE>index=proxy sourcetype=bluecoat cs_categories="*File Storage*" cs_username!="-" cs_method!="unknown" cs_host="*hightail*" | stats sum(cs_bytes) AS bytes_uploaded sum(sc_bytes) AS bytes_downloaded by cs_username cs_host sc_filter_result | eval megabytes_down=bytes_downloaded/1024/1024 | eval megabytes_up=bytes_uploaded/1024/1024 | rename cs_username as "User",cs_host as "Cloud storage URL", sc_filter_result AS "Result", megabytes_up as "Downloaded (MB)", megabytes_down as "Uploaded (MB)"| ......... replace OBSERVED with ALLOWED in Result | sort by -"Downloaded (MB)" | table User, displayName, department, Result, "Cloud storage URL", "Downloaded (MB)", "Uploaded (MB)" </CODE></PRE> <P>Thank you</P> Wed, 30 Sep 2015 06:07:30 GMT https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249931#M74588 bushrangerjones 2015-09-30T06:07:30Z https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249932#M74589 <P>Try this</P> <PRE><CODE>index=proxy sourcetype=bluecoat cs_categories="*File Storage*" cs_username!="-" cs_method!="unknown" cs_host="*hightail*" | stats sum(cs_bytes) AS bytes_uploaded sum(sc_bytes) AS bytes_downloaded by cs_username cs_host sc_filter_result | eval cs_host=if(match(cs_host,".*\.hightail\.com"),"XXX.hightails.com",cs_host) | stats sum(*) as * by cs_username cs_host sc_filter_result | eval megabytes_down=bytes_downloaded/1024/1024 | eval megabytes_up=bytes_uploaded/1024/1024 | rename cs_username as "User",cs_host as "Cloud storage URL", sc_filter_result AS "Result", megabytes_up as "Downloaded (MB)", megabytes_down as "Uploaded (MB)"| ......... replace OBSERVED with ALLOWED in Result | sort by -"Downloaded (MB)" | table User, displayName, department, Result, "Cloud storage URL", "Downloaded (MB)", "Uploaded (MB)" </CODE></PRE> Wed, 30 Sep 2015 16:22:48 GMT https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249932#M74589 somesoni2 2015-09-30T16:22:48Z https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249933#M74590 <P>Thanks for that! It works, however it is not picking up URLS like this one - <STRONG>storage.us1.hightail.com</STRONG>. As that URL is made up of 4 parts and not 3 I suppose? </P> Fri, 02 Oct 2015 01:12:48 GMT https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249933#M74590 bushrangerjones 2015-10-02T01:12:48Z https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249934#M74591 <P>I just added this line:</P> <PRE><CODE>eval cs_host=if(match(cs_host,".*\.au1\.hightail\.com"), "XXX.hightail.com",cs_host) </CODE></PRE> <P>Seem to have done the job! Thanks</P> Fri, 02 Oct 2015 04:38:04 GMT https://community.splunk.com/t5/Splunk-Search/Group-results-by-a-keyword-in-a-particular-field/m-p/249934#M74591 bushrangerjones 2015-10-02T04:38:04Z