Solved: Combine some results together into a single field ...

sbrewerton · ‎05-26-2021

Hello

I have a query that examins events can outputs how many of each level of event there are

index=* eval level=lower(level) | stats count by level

It works fine, but in the output there are some results that should be treated/merged

level	count
debug	10
error	15
fatal	1
info	30
information	40
trace	2
warn	70
warning	75

'info' and 'information' are the same thing, 'warn' and 'warning' are also the same thing

Is there any way to extend/modify this query to have the combined count for 'info' and 'information' in a single result, and the same for 'warn' and 'warning' ? Something lik this ?

level	count
debug	10
error	15
fatal	1
info	70
trace	2
warn	145

Many thanks

_scott

richgalloway · ‎05-26-2021

Use an eval command to normalize field values before stats.

index=* eval level=lower(level) 
| eval level=case(level="information","info", level="warning","warn", 1==1,level)
| stats count by level

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-26-2021

Use an eval command to normalize field values before stats.

index=* eval level=lower(level) 
| eval level=case(level="information","info", level="warning","warn", 1==1,level)
| stats count by level

---
If this reply helps you, Karma would be appreciated.

Combine some results together into a single field label

eval

stats

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?