https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96831#M2229 <P>Thanks for your response Iguinn, I took snippets of your example above and got something working.</P> Thu, 25 Jul 2013 20:23:39 GMT ten_yard_fight 2013-07-25T20:23:39Z https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96829#M2227 <P>I have a search that breaks down what files were accessed, how much data was retrieved and how many total requests for one particular field. Example search query below:</P> <PRE><CODE>index="my_index" source="access_log" directory="/my_app/" | chart count(status_code) AS Requests, sum(file_size) AS TotalData, values(path_to_file) AS FileRequested BY directory </CODE></PRE> <P>The above query produces something like:</P> <PRE><CODE>directory Requests TotalData FileRequested my_app 10 345677 html/index.html images/happy_face.png dynamic/more_happy.py </CODE></PRE> <P>While this is fine if you only care about the TOTAL number for the entire directory, I would like to break it down so that I can display the number of requests and total data for each of the files requested listed by the directory. The directory should only be displayed once like the example above. Any suggestions? I've tried a couple of different ways but I cant get the directory to only display once and the rest of the rows populated with relevant data per file requested.</P> Tue, 16 Jul 2013 17:18:47 GMT https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96829#M2227 ten_yard_fight 2013-07-16T17:18:47Z https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96830#M2228 <P>Splunk is not really designed as a "report writer." Depending on what you want to do, you may find it easier to use Splunk for all the computations and then export the results to a .csv file. Then you can take the csv file into any reporting tool to format it.</P> <P>However, this should work:</P> <PRE><CODE>index="my_index" source="access_log" directory="/my_app/" | stats count(status_code) AS Requests, sum(file_size) AS TotalData BY directory path_to_file | eval sort_key=directory + " " + path_to_file | append [ search index="my_index" source="access_log" directory="/my_app/" | stats count(status_code) AS Requests, sum(file_size) AS TotalData BY directory | eval sort_key=directory + "***Total" | eval path_to_file = "Total for directory" ] | sort 0 sort_key | fields - sort_key | rename path_to_file as FileRequested | table directory FileRequested Requests TotalData </CODE></PRE> <P>Note that this will probably take at least twice as much time and resources to run.</P> Tue, 16 Jul 2013 17:38:14 GMT https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96830#M2228 lguinn2 2013-07-16T17:38:14Z https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96831#M2229 <P>Thanks for your response Iguinn, I took snippets of your example above and got something working.</P> Thu, 25 Jul 2013 20:23:39 GMT https://community.splunk.com/t5/Reporting/How-to-create-a-report-with-counts-per-column-for-one-specific/m-p/96831#M2229 ten_yard_fight 2013-07-25T20:23:39Z