Solved: Re: Combine Results

Yy4pb · ‎04-06-2022

Hello Community,

I am having issues combining results to display in a pie chart - I tried a few things such as mvappend and it's not working correctly.

I have pulled a list of Domains and want to display them in a pie chart. To get the list of domains and display them in a chart I am using the following:

rex field=netbiosName "^(?<Domain>[^\\\\]+)" | stats count by Domain

This works as intended, but I have a couple of results that come up as both 'domain1' and 'domain1.com' and are displayed in the pie chart. I would like to combine these results, so that the count for both 'domain1' and 'domain1.com' is added together under just 'domain1'

Thanks

ITWhisperer · ‎04-06-2022

| rex field=netbiosName "^(?<Domain>[^\\\\]+)" 
| eval Domain=if(Domain="domain1.com","domain1",Domain)
| stats count by Domain

View solution in original post

ITWhisperer · ‎04-06-2022

Are you looking to keep just the first part of all domains, or drop the last part of all domains, or remove just .com if it exists from all domains, or change a specific set of domain.com to domain?

Yy4pb · ‎04-06-2022

I need to combine the results - so like

14 domain1
10 domain1.com

I need:

24 domain1

ITWhisperer · ‎04-06-2022

| rex field=netbiosName "^(?<Domain>[^\\\\]+)" 
| eval Domain=if(Domain="domain1.com","domain1",Domain)
| stats count by Domain

Yy4pb · ‎04-06-2022

Works exactly as I wanted - thank you!

How to combine results to display in a pie chart?

chart

rex

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application