https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295028#M89036 <P>Yes, there is, you can use <CODE>mvfilter</CODE> for this.</P> Fri, 08 Nov 2019 15:07:37 GMT woodcock 2019-11-08T15:07:37Z https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295023#M89031 <P>Hi,</P> <P>I've tagged my data by location, and I am now trying to run stats on it.</P> <P>Problem is a location can be Manual or Automated and relate to Bank 1 or Bank 2.</P> <P>The issue I have is when running a stats, I get:</P> <P>Manual Bank 1<BR /> Manual Bank 2<BR /> Automated Bank 1<BR /> Automated Bank 2</P> <P>Whereas all I want to look at is Manual vs. Automated banks. Is there a way of only displaying certain tags?<BR /> If I put tag::XX!= then it doesn't run the search as the field values are tagged as both.</P> <P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Tue, 04 Jul 2017 14:05:56 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295023#M89031 alylanchester 2017-07-04T14:05:56Z https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295024#M89032 <P>Hi alylanchester,<BR /> create an eval field with your condition to use in your stats, e.g. </P> <PRE><CODE>your_search | eval type=if(location="Manual*", "Manual","Automatic") | stats count by type </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 04 Jul 2017 14:48:17 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295024#M89032 gcusello 2017-07-04T14:48:17Z https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295025#M89033 <P>There are 9999+ locations, we have tagged them all which is why I ask, instead of doing an Eval.</P> Tue, 04 Jul 2017 14:50:33 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295025#M89033 alylanchester 2017-07-04T14:50:33Z https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295026#M89034 <P>You must be very, VERY careful when counting by <CODE>tags</CODE>. If an event has more than 1 tag (and that is almost always the case in every splunk deployment at least some of the time), that event will be counted more than once (once for each tag value). In any case, I would do it the way that you are and then sum it up at the end by adding this to the bottom:</P> <PRE><CODE>... | rex field=mytag "^(?&lt;mode&gt;\S+)" | stats sum(count) BY mode </CODE></PRE> <P>That being said, I would to back and redo your tags to have 2: one for <CODE>mode</CODE> (which is either <CODE>Automatic</CODE> or <CODE>Manual</CODE> and one for <CODE>Bank</CODE> which is a number).</P> Tue, 04 Jul 2017 15:06:42 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295026#M89034 woodcock 2017-07-04T15:06:42Z https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295027#M89035 <P>Thanks! Yes, didn't know if there was a way of filtering tags out so only some remained active in the field set. </P> Tue, 04 Jul 2017 15:10:34 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295027#M89035 alylanchester 2017-07-04T15:10:34Z https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295028#M89036 <P>Yes, there is, you can use <CODE>mvfilter</CODE> for this.</P> Fri, 08 Nov 2019 15:07:37 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Values-for-One-Tag-Only-Want-to-Display-One/m-p/295028#M89036 woodcock 2019-11-08T15:07:37Z