https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660517#M17599 <P>Hello!</P><P>we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" and "Source_Network_Address", the Affected and the Count are working fine.</P><P>I did some troubleshooting and found out that the command line with "stats count as" is the reason, as it works without that and shows everything except Count then of course.</P><P>Does anyone have an idea how I can create a table and a counter?</P><P>index=*.....<BR />(Account_Name="*" OR Group_Name="*")<BR />EventCode="4625"<BR />NOT EventCode IN ("4735", "4737", "4755")<BR />NOT Account_Name="*$*"<BR />Name</P><P>| eval time=_time<BR />| eval Operator=mvindex(Account_Name, 0)<BR />| eval Affected=mvindex(Account_Name, 1)<BR />| eval Group=mvindex(Account_Name, 2)<BR />| eval Workstation=mvindex(Workstation_Name, 0)<BR />| eval Group=if(isnull(Group),Group_Name,Group)<BR />| eval Workstation=if(isnull(Workstation),"",Workstation)<BR />| eval Workstation=nullif(Workstation,"")<BR />| eval Affected=if(isnull(Affected),Account_Name,Affected)<BR />| eval ExpirationTime=if(isnull(Expiration_time),"",Expiration_time)<BR />| rex field=Message "(?&lt;Message&gt;[^\n]+)"</P><P>| stats count as Count by Affected<BR />| table Affected, Workstation, Source_Network_Address, Count<BR />| sort -Count</P> Thu, 12 Oct 2023 12:00:40 GMT Miloš 2023-10-12T12:00:40Z https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660517#M17599 <P>Hello!</P><P>we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" and "Source_Network_Address", the Affected and the Count are working fine.</P><P>I did some troubleshooting and found out that the command line with "stats count as" is the reason, as it works without that and shows everything except Count then of course.</P><P>Does anyone have an idea how I can create a table and a counter?</P><P>index=*.....<BR />(Account_Name="*" OR Group_Name="*")<BR />EventCode="4625"<BR />NOT EventCode IN ("4735", "4737", "4755")<BR />NOT Account_Name="*$*"<BR />Name</P><P>| eval time=_time<BR />| eval Operator=mvindex(Account_Name, 0)<BR />| eval Affected=mvindex(Account_Name, 1)<BR />| eval Group=mvindex(Account_Name, 2)<BR />| eval Workstation=mvindex(Workstation_Name, 0)<BR />| eval Group=if(isnull(Group),Group_Name,Group)<BR />| eval Workstation=if(isnull(Workstation),"",Workstation)<BR />| eval Workstation=nullif(Workstation,"")<BR />| eval Affected=if(isnull(Affected),Account_Name,Affected)<BR />| eval ExpirationTime=if(isnull(Expiration_time),"",Expiration_time)<BR />| rex field=Message "(?&lt;Message&gt;[^\n]+)"</P><P>| stats count as Count by Affected<BR />| table Affected, Workstation, Source_Network_Address, Count<BR />| sort -Count</P> Thu, 12 Oct 2023 12:00:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660517#M17599 Miloš 2023-10-12T12:00:40Z https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660520#M17600 <P>The <FONT face="courier new,courier">stats</FONT> command is a transforming one, meaning it changes the results so only the referenced fields exist.&nbsp; In this case, only the Count and Affected fields are available to subsequent commands.&nbsp; Perhaps the best fix is to use the <FONT face="courier new,courier">eventstats</FONT> command, which is not transforming.</P><LI-CODE lang="markup">| eventstats count as Count by Affected | table Affected, Workstation, Source_Network_Address, Count | sort - Count</LI-CODE><P>&nbsp;</P> Thu, 12 Oct 2023 12:25:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660520#M17600 richgalloway 2023-10-12T12:25:13Z https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660527#M17603 <P>Thank you for the fast answer.&nbsp;</P><P>Now i can see all columns, but the Events in the Statistics are separate and not grouped. Now i see for example 50 times one user and then the another one 20 times, and so on.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Splunk.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27550iECC25F56F0C816EC/image-size/large?v=v2&amp;px=999" role="button" title="Splunk.png" alt="Splunk.png" /></span></P> Thu, 12 Oct 2023 13:28:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660527#M17603 Miloš 2023-10-12T13:28:02Z https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660528#M17604 <P>That's not optimal.&nbsp; <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Try this alternative using stats.</P><LI-CODE lang="markup">| stats count as Count, values(Workstation) as Workstation, values(Source_Network_Address) as Source_Network_Address by Affected | table Affected, Workstation, Source_Network_Address, Count | sort - Count</LI-CODE><P>This may yield multiple workstation or source address values for each Affected value.</P> Thu, 12 Oct 2023 13:38:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660528#M17604 richgalloway 2023-10-12T13:38:00Z https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660988#M17653 <P>Hey,&nbsp;</P><P>thank you for the help. Now we have a solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Best regards</P> Tue, 17 Oct 2023 10:20:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Cant-build-a-table-with-command-quot-stats-count-quot/m-p/660988#M17653 Miloš 2023-10-17T10:20:29Z