Hi @Pikta, you need an eval - case command, something like this: <your_search>
| eval OS=case(
like('operating-system',"Microsoft Windows Server%"), "Windows Server",
like('operating-system',...
See more...
Hi @Pikta, you need an eval - case command, something like this: <your_search>
| eval OS=case(
like('operating-system',"Microsoft Windows Server%"), "Windows Server",
like('operating-system',"Microsoft Windows%"), "Windows OS",
'operating-system'="Linux", "Linux",
'operating-system'="CentOS", "Linux",
'operating-system'="Ubuntu", "Linux") obviously, you can enlarge the command also with other options. Next time, if possible, don't use "-" (or spaces) in field names, use underscore (_) because Splunk uses "-" as an operator, so you have to use quotes in the field name. Ciao. Giuseppe