https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215169#M42363 <P>have you tried <BR /> <CODE>stats count by host, sourcetype, index</CODE> OR <CODE>tstats count by host, sourcetype, index</CODE> ?</P> <P>Bye.<BR /> Giuseppe</P> Thu, 05 Jan 2017 16:40:09 GMT gcusello 2017-01-05T16:40:09Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215167#M42361 <P>Hello,</P> <P>I am trying to perform a search that groups all hosts by sourcetype and groups those sourcetypes by index. So far I have this:<BR /><BR /> | tstats values(host) AS Host, values(sourcetype) AS Sourcetype WHERE index=* by index </P> <P>But this search does map each host to the sourcetype. Instead it shows all the hosts that have at least one of the resulting sourcetypes as a sourcetype. </P> Thu, 05 Jan 2017 16:31:21 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215167#M42361 king2jd 2017-01-05T16:31:21Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215168#M42362 <P>Can you give an example of what the end data should look like in table format?</P> Thu, 05 Jan 2017 16:36:57 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215168#M42362 rjthibod 2017-01-05T16:36:57Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215169#M42363 <P>have you tried <BR /> <CODE>stats count by host, sourcetype, index</CODE> OR <CODE>tstats count by host, sourcetype, index</CODE> ?</P> <P>Bye.<BR /> Giuseppe</P> Thu, 05 Jan 2017 16:40:09 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215169#M42363 gcusello 2017-01-05T16:40:09Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215170#M42364 <P>Index1----sourcetype1-----host1<BR /> ------host2<BR /> ------sourcetype2---host 3<BR /> Index2-----sourcetype3----host1<BR /> ----host5</P> <P>Does this help you?</P> Thu, 05 Jan 2017 16:42:47 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215170#M42364 king2jd 2017-01-05T16:42:47Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215171#M42365 <P>That came out worse than I thought but essentially<BR /> index1-sourcetype1-host1,host2<BR /> index2-sourcertype2-host1,host4</P> Thu, 05 Jan 2017 16:44:13 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215171#M42365 king2jd 2017-01-05T16:44:13Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215172#M42366 <P>How about this?</P> <PRE><CODE>| tstats count where index=* by index sourcetype host | stats list(host) as Hosts by index sourcetype </CODE></PRE> Thu, 05 Jan 2017 17:09:28 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215172#M42366 rjthibod 2017-01-05T17:09:28Z https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215173#M42367 <P>Does exactly what I needed. Thanks for your help!</P> Thu, 05 Jan 2017 18:37:11 GMT https://community.splunk.com/t5/Getting-Data-In/Group-hosts-by-Sourcetype-by-Index/m-p/215173#M42367 king2jd 2017-01-05T18:37:11Z