Splunk Search

Grouping multiple results from a search in to the same name

bb10
Engager

I'm trying to make a visualization showing our number of signatures, but the data is not very organized because I have 20+ results with variations of the name generic, like for example:

Generic.TC.ldrvmp1
Generic.TC.ligldq1
Generic.TC.ljhook1
Generic.TC.lmzdbq1
Generic.TC.lnionm1
Generic.TC.lniqpu1
Generic.TC.lxboaq1
Generic.TC.mpneia1
Generic.TC.mpngod


I want to group all these results under the name "generic", but it seems like if I try to use wild cards in the below search it gives me an error. I could do write out each signature individually in the |eval command but that seems very inefficient. I was wondering if it was possible for me to group the results in to the same name?

| eval signature=case(signature="Generic.*", "generic") 
|stats count by signature
| sort -count

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval signature=case(match(signature,"Generic.*"), "generic",1==1,signature)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval signature=case(match(signature,"Generic.*"), "generic",1==1,signature)

bb10
Engager

Thank you this works

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...