Hi, I'm new to Splunk and I was trying to compare values in the same field and group them subsequently. The events had client transaction id, pp_account_number, corrid different so had to remove them and compare and group. I used | stats group by and it didn't get me the results.  There were results that looked same but were not grouped together. Below is my query. I went on to remove spaces so that it will group better but didn't work as well .    (index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway") | eval corrId=corr_id | fields "corrId" , "calName" , "calMessage" | where (match(calName,"Monitor_Vendor_Service_Call") AND match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*")) | eval calMessage= replace(calMessage, " ", "") | eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ") | eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ") | eval calMessage = replace(calMessage, "corr_id_=.*" ,"") | stats by calMessage  ... View more