Solved: Re: Group By Replace

jasonhask · ‎05-15-2019

Hello,

I have several things that come in via different platforms: Android (watch, phone, tablet), iOS (Watch, Phone, Tablet), and Web. For counting purposes I just need to know the platform (for now). I was wondering if there was any way possible to group my counts by my replaces.

index =blah source=blah earliest=-16m@m latest=-1m@m 
| stats count(eval(Status=0 OR Status=1)) as Now by Platform
| replace android* with Android, *Web* with Web, ip* with iOS
| table Platform, Now

As of now my results look like:

Platform            Now
android              96
android               1
android            1306
iOS                3000
iOS                  45
iOS                   2
Web                1286
Web                 956

What I would like:

Platform            Now
Android            1403
iOS                3047
Web                2242

Thanks in advance for any help.

woodcock · ‎05-15-2019

Try this:

index =blah source=blah earliest=-16m@m latest=-1m@m 
| stats count(eval(Status=0 OR Status=1)) AS Now BY Platform
| replace android* with Android, *Web* with Web, ip* with iOS
| stats sum(Now) AS Now BY Platform

View solution in original post

woodcock · ‎05-15-2019

Try this:

index =blah source=blah earliest=-16m@m latest=-1m@m 
| stats count(eval(Status=0 OR Status=1)) AS Now BY Platform
| replace android* with Android, *Web* with Web, ip* with iOS
| stats sum(Now) AS Now BY Platform

jasonhask · ‎05-16-2019

While that didn't answer my question directly it led me in the right direction, thank you!

woodcock · ‎05-16-2019

OK, then do click Accept on the answer to close the question.

Group By Replace

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash