Solved: Consolidating portion of a field before counting

spetzd1 · ‎10-19-2015

So, I have a very basic report I am trying to generate that takes an extracted field called MatchesFound and sums up how many of each value it sees:

...| stats count as total by MatchesFound

The result looks something like:

MatchesFound  |   total
1             |    34
2             |    15
3             |    12
5             |    7
6             |    1
7             |    4
9             |    6

The problem I have is that I would like to group some of the MatchesFound together, so that the list goes from 1 through 5 and then has every MatchCount of 6 or higher grouped together. The final table should look something like:

MatchesFound  |   total
1             |    34
2             |    15
3             |    12
5             |    7
6  +          |    11

somesoni2 · ‎10-19-2015

Try something like this

...| stats count as total by MatchesFound | eval MatchesFound=if(MatchesFound>=6,"6+",MatchesFound)  | stats sum(total) as total by MatchesFound

View solution in original post

somesoni2 · ‎10-19-2015

Try something like this

...| stats count as total by MatchesFound | eval MatchesFound=if(MatchesFound>=6,"6+",MatchesFound)  | stats sum(total) as total by MatchesFound

spetzd1 · ‎10-19-2015

Worked like a charm. Thank you!

Consolidating portion of a field before counting

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?