https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293583#M88625 <P>Hi guys,</P> <P>I have 2 data sources (source 1 and source 2) with different locations and transactions.<BR /> How can I group the locations to Inbound and Outbound and count the transactions?</P> <P>Thank you.</P> <PRE><CODE>Source 1 Location Transaction Location/dock/1 ok Location/rec/1 ok Location/pack/1 ok Location/ship/1 ok Source 2 Location Transaction Location/dock/1 not ok Location/rec/1 not ok Location/pack/1 not ok Location/ship/1 not ok Groupings Inbound = Location/dock/1 , Location/rec/1 Outbound = Location/pack/1, Location/ship/1 Result Location Ok not ok Inbound 2 2 Outbound 2 2 </CODE></PRE> Wed, 14 Feb 2018 08:16:29 GMT auaave 2018-02-14T08:16:29Z https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293583#M88625 <P>Hi guys,</P> <P>I have 2 data sources (source 1 and source 2) with different locations and transactions.<BR /> How can I group the locations to Inbound and Outbound and count the transactions?</P> <P>Thank you.</P> <PRE><CODE>Source 1 Location Transaction Location/dock/1 ok Location/rec/1 ok Location/pack/1 ok Location/ship/1 ok Source 2 Location Transaction Location/dock/1 not ok Location/rec/1 not ok Location/pack/1 not ok Location/ship/1 not ok Groupings Inbound = Location/dock/1 , Location/rec/1 Outbound = Location/pack/1, Location/ship/1 Result Location Ok not ok Inbound 2 2 Outbound 2 2 </CODE></PRE> Wed, 14 Feb 2018 08:16:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293583#M88625 auaave 2018-02-14T08:16:29Z https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293584#M88626 <P>Hi @auaave ,<BR /> Can you please try this?</P> <PRE><CODE>YOUR_SEARCH | | eval Location=case(like(Location,"%dock%") OR like(Location,"%rec%"),"Inbound",like(Location,"%pack%") OR like(Location,"%ship%"),"Outbound") | chart count over Location by Transaction </CODE></PRE> <P>My Sample Search:</P> <PRE><CODE>| makeresults | eval Location="Location/dock/1,Location/rec/1,Location/pack/1,Location/ship/1" | eval Location=split(Location,",")| mvexpand Location | eval Transaction="ok" | append [| makeresults | eval Location="Location/dock/1,Location/rec/1,Location/pack/1,Location/ship/1" | eval Location=split(Location,",")| mvexpand Location | eval Transaction="not ok"] | eval Location=case(like(Location,"%dock%") OR like(Location,"%rec%"),"Inbound",like(Location,"%pack%") OR like(Location,"%ship%"),"Outbound") | chart count over Location by Transaction </CODE></PRE> <P>Thanks</P> Wed, 14 Feb 2018 10:55:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293584#M88626 kamlesh_vaghela 2018-02-14T10:55:05Z https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293585#M88627 <P>@kamlesh_vaghela, thanks for your help! The groupings works well but I changed the last part to take into account the 2 types of sources.</P> Wed, 14 Feb 2018 22:31:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-different-values-and-count-the-number-of/m-p/293585#M88627 auaave 2018-02-14T22:31:40Z