Hi splunkers
Good morning,
I have came across a new problem
ProgramName = StarMovies
ProgramName = starmovies
ProgramName = starMovies
programName = Star Movies
ProgramName = Starmovies
Like this i have a data in my logs . what i want that all these field should combine and programname count should be 5 for starmovies
Hi kannu,
at first it's an error or you could have different field names: ProgramName and programName (different case for P)?
if you have different field names you can use coalesce funtion:
| eval ProgramName=coalesce(ProgramName, programName)
I don't know if it's acceptable for you, but you could transform each value in upper or lower case and delete spaces between words, in this way you have the same value and you can count values using stats command:
Your_search
| eval ProgramName=lower(trim(ProgramName))
| rex field=ProgramName mode=sed "s/\s//"
| stats count BY ProgramName
Bye.
Giuseppe
Hi kannu,
at first it's an error or you could have different field names: ProgramName and programName (different case for P)?
if you have different field names you can use coalesce funtion:
| eval ProgramName=coalesce(ProgramName, programName)
I don't know if it's acceptable for you, but you could transform each value in upper or lower case and delete spaces between words, in this way you have the same value and you can count values using stats command:
Your_search
| eval ProgramName=lower(trim(ProgramName))
| rex field=ProgramName mode=sed "s/\s//"
| stats count BY ProgramName
Bye.
Giuseppe
Hi @cusello
actually sorry for the mistake data was like this
ProgramName = Star Movies HD
ProgramName = Star MoviesHD
ProgramName = StarMovies HD
Want to make them all three look identical like Star Movies HD
Only spaces are creating trouble
can you help me in that
No problem i have figured it out by myself