https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392448#M114183 <P>hello, the truth is the query is that but I do not know how to perform the missing part to group the values or make a state dedup and list them</P> Fri, 03 Aug 2018 18:56:56 GMT efaundez 2018-08-03T18:56:56Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392445#M114180 <P>good afternoon</P> <P>It is possible to group in a variable the state of multiple fields? Currently I have several fields and each one has to fulfill a condition, but if this happens the state NOK must remain</P> <PRE><CODE>index = "test" sourcetype = "test2" | stats max (field1) as field1, max (field2) as field2 by _time | eval var1 = if (field1 &lt;9999, "NOK", var1) | eval var2 = if (field2 &lt;9999, "NOK", var2) | fields - _time </CODE></PRE> <P>In this example the values are shown to me this way and many times the NOK value, which only needs 1</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5511i31DD109E790ACCFE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Does anybody have any suggestions?</P> Fri, 03 Aug 2018 17:47:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392445#M114180 efaundez 2018-08-03T17:47:35Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392446#M114181 <P>Is there some portion of query missing? You're referencing field var1 and var2 in your eval expressions (on RHS of <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> but they don't exist after your stats command. </P> Fri, 03 Aug 2018 18:04:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392446#M114181 somesoni2 2018-08-03T18:04:42Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392447#M114182 <P>if I am understanding the question right. I believe what you want to look up is the <CODE>transpose</CODE> function it turns columns into rows</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Transpose">https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Transpose</A></P> Fri, 03 Aug 2018 18:18:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392447#M114182 kiamco 2018-08-03T18:18:38Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392448#M114183 <P>hello, the truth is the query is that but I do not know how to perform the missing part to group the values or make a state dedup and list them</P> Fri, 03 Aug 2018 18:56:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392448#M114183 efaundez 2018-08-03T18:56:56Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392449#M114184 <P>Try like this</P> <H4>Final Answer</H4> <PRE><CODE>..base search | stats max (field1) as field1, max (field2) as field2 by _time | eval var1 = if (field1 &lt;9999, "NOK", var1) | eval var2 = if (field2 &lt;9999, "NOK", var2) | dedup var1 var2 | eval temp=0 | untable temp "N*Var" "NOK Status" | where 'NOK Status' = "NOK" </CODE></PRE> Fri, 03 Aug 2018 19:13:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392449#M114184 somesoni2 2018-08-03T19:13:39Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392450#M114185 <P>Hello</P> <P>Thank you very much is almost 99% of what I wanted, can you do something similar to this?</P> <P>| where "NOK Status"! = "OK"</P> <P>It would only filter the NOK states</P> <P>Agradesco your answer.</P> Fri, 03 Aug 2018 19:34:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392450#M114185 efaundez 2018-08-03T19:34:44Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392451#M114186 <P>Yes.. just add <CODE>| where 'NOK Status'="NOK"</CODE> to end of above search.</P> Fri, 03 Aug 2018 19:41:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392451#M114186 somesoni2 2018-08-03T19:41:24Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392452#M114187 <P>gracias por todo</P> <P>Saludos</P> Fri, 03 Aug 2018 19:54:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392452#M114187 efaundez 2018-08-03T19:54:02Z https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392453#M114188 <P>Glad to be of help. If there are no further follow-up question related to this, do remember to accept this answer to close the question.</P> Fri, 03 Aug 2018 20:22:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-multiple-fields-separately-and-calculate-stats/m-p/392453#M114188 somesoni2 2018-08-03T20:22:43Z