https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386040#M112687 <PRE><CODE>index=wineventlog EventCode=4740 host=* | stats count by Account_Name Field1 Field2 | sort - count </CODE></PRE> <P>That should add Field1 and Field2 to your results</P> Thu, 23 May 2019 20:49:10 GMT aguthrie1190 2019-05-23T20:49:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386039#M112686 <P>I need to add more columns to a search after results are counted. Here's my query</P> <PRE><CODE>index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count </CODE></PRE> <P>Results give me Account_Name and Count ...I want to add more fields to results.I tried table but this doesn't work.</P> Thu, 23 May 2019 20:42:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386039#M112686 jcolon68 2019-05-23T20:42:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386040#M112687 <PRE><CODE>index=wineventlog EventCode=4740 host=* | stats count by Account_Name Field1 Field2 | sort - count </CODE></PRE> <P>That should add Field1 and Field2 to your results</P> Thu, 23 May 2019 20:49:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386040#M112687 aguthrie1190 2019-05-23T20:49:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386041#M112688 <P>Thanks! I tried that , but the count is not correct. It's only showing count as 1 for most of the results when there's multiple. </P> Thu, 23 May 2019 20:56:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386041#M112688 jcolon68 2019-05-23T20:56:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386042#M112689 <P>When you do <CODE>count by</CODE>, stats will count the times when the combination of fields appears together, otherwise it will throw away the field if it is not specified in your <CODE>by</CODE> argument. </P> <P>Say you have this data</P> <P>1 host=host1 field="test"<BR /> 2 host=host1 field="test2"</P> <P>And my search is: <BR /> * | stats count by host field</P> <P>I'll have 2 results, each with the count of 1. One result for host1, test and one result for host1, test2. </P> <P>What does your data look like, if you have a lot of unique events, stats may not be the best way to characterize your data. </P> Thu, 23 May 2019 21:03:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386042#M112689 aguthrie1190 2019-05-23T21:03:27Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386043#M112690 <P>@jcolon68 try below </P> <PRE><CODE>index=wineventlog EventCode=4740 host=* | stats values(*) as * , count by Account _Name|sort 0 count </CODE></PRE> Thu, 23 May 2019 21:24:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386043#M112690 Vijeta 2019-05-23T21:24:39Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386044#M112691 <P>When you pipe to stats you are doing a transforming search and in effect dropping the data that isn't part of the statistical results.<BR /> In order to include additional fields you need to include them as part of the results. You could also try something like appendpipe to add more output to your base search.</P> <P>References: <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutreportingcommands">https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutreportingcommands</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendpipe">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendpipe</A></P> Fri, 24 May 2019 00:28:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386044#M112691 mtranchita 2019-05-24T00:28:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386045#M112692 <P>I just really want to group the Account_Name field into individual lines with a count. But I want to see multiple fields, like Computer Name , which may be different for example:</P> <P>Account_Name Computer name IP<BR /> account Computer 1 10.10.0.1<BR /> account Computer 2 10.10.0.2<BR /> account Computer 3 10.10.0.3</P> <P>what I'd like to see is just a grouping and count of "Account_Name" and show other fields as well:</P> <P>Account_Name Computer name IP Count<BR /> account Computer 1 10.10.0.1 3<BR /> account Computer 2 10.10.0.2 3<BR /> account Computer 3 10.10.0.3 3 </P> Fri, 24 May 2019 13:18:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386045#M112692 jcolon68 2019-05-24T13:18:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386046#M112693 <P>You could try using the <STRONG>eventstats</STRONG> command instead of stats.</P> <P>Per Splunk Docs,</P> <BLOCKQUOTE> <P>The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event.</P> </BLOCKQUOTE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventstats">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventstats</A></P> Fri, 24 May 2019 13:50:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386046#M112693 mkolkebeck 2019-05-24T13:50:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386047#M112694 <P>What's your requirement here? Could you please provide available fields and sample expected <BR /> output?</P> Fri, 24 May 2019 14:37:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386047#M112694 somesoni2 2019-05-24T14:37:40Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386048#M112695 <P>So you want to count the account names by multiple fields while still showing the account name?<BR /> Have you tried something like:<BR /> index=wineventlog EventCode=4740 host=* | stats c(Account_Name) as COUNT by Account_Name, ComputerName, IP</P> Wed, 30 Sep 2020 00:40:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/386048#M112695 mtranchita 2020-09-30T00:40:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/526736#M148677 <PRE>index=wineventlog EventCode=4740 host=* | stats count by Account_Name,&nbsp;Computer_Name,&nbsp;IP&nbsp;| stats&nbsp;list(Computer_Name)&nbsp;as&nbsp;Computer_Name,&nbsp;list(IP)&nbsp;as&nbsp;IP, count(Account_Name) as Count&nbsp;by&nbsp;Account_Name&nbsp;|&nbsp;sort&nbsp;-&nbsp;Count</PRE><P><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/179651">@jcolon68</a>, t</SPAN>his groups Account_Names together and still counts them.&nbsp;</P> Wed, 28 Oct 2020 01:10:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-more-fields-after-the-stats-count-by-command/m-p/526736#M148677 khiott 2020-10-28T01:10:51Z