https://community.splunk.com/t5/Splunk-Search/Create-report-for-different-fields/m-p/43201#M10165 <P>Perhaps something like this could do. The visualization part is left as an exercise to the reader.</P> <PRE><CODE>your_search | timechart span=1h c as total c(eval(like(to, "%mail.com"))) as sent_count c(eval(like(from, "%mail.com"))) as received_count </CODE></PRE> <P>/K</P> Thu, 22 Aug 2013 12:39:46 GMT kristian_kolb 2013-08-22T12:39:46Z https://community.splunk.com/t5/Splunk-Search/Create-report-for-different-fields/m-p/43200#M10164 <P>Hi,<BR /> I have a search: </P> <PRE><CODE>source="/var/log/mail.log" to="*mail.com" OR from="*@mail.com" </CODE></PRE> <P>How can i build report where i can see columns what show count of emails in day/hour, but the column has two colours, one colour for sent emails and other colour for recived emails.<BR /> And some statistics that in that day there were 100 emails 40of them recived and 60 sent.</P> Thu, 22 Aug 2013 11:37:03 GMT https://community.splunk.com/t5/Splunk-Search/Create-report-for-different-fields/m-p/43200#M10164 ttrumm 2013-08-22T11:37:03Z https://community.splunk.com/t5/Splunk-Search/Create-report-for-different-fields/m-p/43201#M10165 <P>Perhaps something like this could do. The visualization part is left as an exercise to the reader.</P> <PRE><CODE>your_search | timechart span=1h c as total c(eval(like(to, "%mail.com"))) as sent_count c(eval(like(from, "%mail.com"))) as received_count </CODE></PRE> <P>/K</P> Thu, 22 Aug 2013 12:39:46 GMT https://community.splunk.com/t5/Splunk-Search/Create-report-for-different-fields/m-p/43201#M10165 kristian_kolb 2013-08-22T12:39:46Z