Splunk noob here, Wanted to group our get endpoints under a single entry. We have the following query   index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" | stats count by "msg.Service.URL" |rename "msg.Service.URL" as "Endpoint" The results come out as  http://endpoint.example.com/sh/bundles 4944 http://endpoint.example.com/sh/bundles/0043005f-a3ce-4f60-8f1d-0a8b076aecdf 3 http://endpoint.example.com/sh/bundles/0067cb65-1de0-4b8e-bdf9-39920f599961 2 http://endpoint.example.com/sh/bundles/008950c2-228c-4871-bab7-50dc01a3297a 2 http://endpoint.example.com/sh/bundles/00c100b8-47ec-4feb-86ae-99f635f8960f 2 http://endpoint.example.com/sh/bundles/00c63a13-2700-440d-b54e-1538db038a1e 2 http://endpoint.example.com/sh/bundles/00e220d1-4f68-487f-ae01-13999811ba31 2 http://endpoint.example.com/sh/bundles/01485473-4b49-4eb8-9a4f-ea5c61f3fe7a 2 http://endpoint.example.com/sh/bundles/0164d5d2-3624-40ca-bf4c-6a3619aead00 2 I want the results with guid be grouped under a single value. So the desired output here would be http://endpoint.example.com/sh/bundles 4944 (stays the same) http://endpoint.example.com/sh/bundles/* 17 (the sum of all the endpoint counts with guid) Trying to use the query like the following without any luck | eval msg.Service.URL=case(like(msg.Service.URL, "http://endpoint.example.com/sh/bundles/%"), "http://endpoint.example.com/sh/bundles/*", 1=1, 'msg.Service.URL') ... View more