Solved: How to do multiple searches at once? - Page 2

BITSIntern · ‎07-14-2015

Hi guys,

I need to have multiple searches running that pull up a word from the same field and replace it with another (doing this:** | eval word = if (word="racist","race",word) | stats count by word** ). My problem is I want to do this multiple times with different words but when I tried append, appendcols, join, or saving the searches, they never work out quite right. The closest I have gotten is this in my search bar:
sourcetype="socialist action" "government" OR "govern" | eval word = if (word="govern","government",word) | stats count by word | appendcols[search sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = if (word="racist","race",word) | stats count by word]

But it still leaves another government:
word count
government 1094
government 16
race 405

Do any of you have a suggestion on how to fix this? Please let me know!

sk314 · ‎07-14-2015

Try this:

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government") | stats count by word

EDIT: assuming you have a field named "word" already extracted/populated

View solution in original post

How to do multiple searches at once?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!