https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383333#M111949 <P>Thank you for the tip...</P> Fri, 29 Mar 2019 10:44:00 GMT dreadangel 2019-03-29T10:44:00Z https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383330#M111946 <P>Hi all,</P> <P>I got some data structured next: </P> <PRE><CODE>url user event ------------------------------------- Url1, user1, EventType1 Url1, user1, EventType2 Url2, user1, EventType3 Url2, user1, EventType1 Url1, user2, EventType1 Url2, user2, EventType2 Url3, user2, EventType3 ... </CODE></PRE> <P>My goal is to build a statistics table:</P> <PRE><CODE> [Url], [Total events count], [Distinct users count], [Top $x users + count list] Url1 2 2 user1 - 1 user2 - 1 ----------------------------------------------------------------------------------- Url2, 3, 1, user1 - 1 user2 - 1 ----------------------------------------------------------------------------------- Url3, 1, 1, user2 - 1 ----------------------------------------------------------------------------------- </CODE></PRE> <P>After using <STRONG>stats</STRONG> command in pipeline grouped data isn't available anymore, so is it possible "to add" statistics to the result or should I use multiple subsearches - each acquiting its goal and after joining them?</P> Thu, 28 Mar 2019 14:03:14 GMT https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383330#M111946 dreadangel 2019-03-28T14:03:14Z https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383331#M111947 <P>@dreadangel ,</P> <P>Try</P> <PRE><CODE>"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url </CODE></PRE> <P>If you need further stats by keeping this data , use <CODE>eventstats</CODE> . For eg. <CODE>|eventstats count as "Total_URL_Count"</CODE></P> Thu, 28 Mar 2019 14:53:00 GMT https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383331#M111947 renjith_nair 2019-03-28T14:53:00Z https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383332#M111948 <P>It might be a bit ugly, but this query gives exactly the result you want...</P> <PRE><CODE>&lt;your_base_query&gt; | stats count as "Total Events", dc(user) as "Distinct Users" by url | appendcols [&lt;your_base_query&gt; | stats count by url, user | eval user = user." - ".count | stats list(user) as "Users + count" by url] </CODE></PRE> <P>In case you want a distinct event count an no total count, just swap the first <CODE>stats count</CODE> for a <CODE>stats dc(events)</CODE> </P> Thu, 28 Mar 2019 15:12:21 GMT https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383332#M111948 DMohn 2019-03-28T15:12:21Z https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383333#M111949 <P>Thank you for the tip...</P> Fri, 29 Mar 2019 10:44:00 GMT https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383333#M111949 dreadangel 2019-03-29T10:44:00Z https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383334#M111950 <P>Thank you for the tip upon eventstats - this indeed solves </P> Fri, 29 Mar 2019 10:44:47 GMT https://community.splunk.com/t5/Splunk-Search/Group-data-but-keeping-data-to-be-grouped/m-p/383334#M111950 dreadangel 2019-03-29T10:44:47Z