https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345098#M102241 <P>Your aggregation was done based on customerId and it seems one Account ID was associated with multiple customerId hence you get 3 different rows (one for each customerId) with same Account ID. May be do a second aggregation by aid, like this</P> <PRE><CODE>index=wholesale_app [search index="wholesale_app" product=* CustomAnalytic Properties.index=33 (refreshWsCVRToken OR obtainWsCVRToken) |table clientSessionId] customerId OR (refreshWsCVRToken OR obtainWsCVRToken)|rex "(?&lt;accountid&gt;\w+)..,..customerId"|rex "sites.\d+.(?&lt;token_type&gt;\w+)"|stats values(accountid) as aid count(eval(token_type="refreshWsCVRToken")) as rcount count(eval(token_type="obtainWsCVRToken")) as ocount by clientSessionId |where aid!="" AND isnotnull(aid) AND len(aid)&lt;=15 | stats sum(*count) as *count by aid |sort -rcount |rename aid as "Account ID" rcount as "Refresh token" ocount as "Obtain token" </CODE></PRE> Fri, 02 Feb 2018 20:53:41 GMT somesoni2 2018-02-02T20:53:41Z https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345097#M102240 <P>Hi,</P> <P>I have this query. It "works" (well mostly). What I'm confused about is the resulting stat table</P> <PRE><CODE>index=wholesale_app [search index="wholesale_app" product=* CustomAnalytic Properties.index=33 (refreshWsCVRToken OR obtainWsCVRToken) |table clientSessionId] customerId OR (refreshWsCVRToken OR obtainWsCVRToken)|rex "(?&lt;accountid&gt;\w+)..,..customerId"|rex "sites.\d+.(?&lt;token_type&gt;\w+)"|stats values(accountid) as aid count(eval(token_type="refreshWsCVRToken")) as rcount count(eval(token_type="obtainWsCVRToken")) as ocount by clientSessionId |sort -Count|fields - clientSessionId|where aid!=""|where len(aid)&lt;=15 |rename aid as "Account ID" rcount as "Refresh token" ocount as "Obtain token" </CODE></PRE> <P>Resulting stats table. I see three entries for the same account number with 1 as the count. I'd like 1 entry for the account but with a count of 3. Any thoughts?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4267iDA2AC32E503DBA87/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Fri, 02 Feb 2018 20:43:36 GMT https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345097#M102240 dbcase 2018-02-02T20:43:36Z https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345098#M102241 <P>Your aggregation was done based on customerId and it seems one Account ID was associated with multiple customerId hence you get 3 different rows (one for each customerId) with same Account ID. May be do a second aggregation by aid, like this</P> <PRE><CODE>index=wholesale_app [search index="wholesale_app" product=* CustomAnalytic Properties.index=33 (refreshWsCVRToken OR obtainWsCVRToken) |table clientSessionId] customerId OR (refreshWsCVRToken OR obtainWsCVRToken)|rex "(?&lt;accountid&gt;\w+)..,..customerId"|rex "sites.\d+.(?&lt;token_type&gt;\w+)"|stats values(accountid) as aid count(eval(token_type="refreshWsCVRToken")) as rcount count(eval(token_type="obtainWsCVRToken")) as ocount by clientSessionId |where aid!="" AND isnotnull(aid) AND len(aid)&lt;=15 | stats sum(*count) as *count by aid |sort -rcount |rename aid as "Account ID" rcount as "Refresh token" ocount as "Obtain token" </CODE></PRE> Fri, 02 Feb 2018 20:53:41 GMT https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345098#M102241 somesoni2 2018-02-02T20:53:41Z https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345099#M102242 <P>Wow, one day when I grow up I want to be able to do what you do <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks again Somesoni2!!!</P> Fri, 02 Feb 2018 20:56:40 GMT https://community.splunk.com/t5/Splunk-Search/Counts-in-stats-command-not-working-the-way-I-expected/m-p/345099#M102242 dbcase 2018-02-02T20:56:40Z