https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404584#M117019 <P>When searching with this sample query, results show up like below</P> <P>index=abc sourcetype=def 1.1.1.1 </P> <P>For example, field1 has the following values:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6851i5DFC7699F7699CDB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>field2:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6852iBD11735754ECCBBD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Since each IP needs to be displayed, I wrote this query:</P> <PRE><CODE>|eval temp=split(field1,",+") | eval IP1=mvindex(temp,0) | eval IP2=mvindex(temp,1) | eval IP3=mvindex(temp,2) </CODE></PRE> <P>But there's also a requirement to search for total events &gt;= 1000 and still able to display the 3 IPs in a table along with values(field2). When I use count &gt;= 5, results are displayed, but when I use count &gt;= 1000, the results are not. For example: below is expected result</P> <PRE><CODE>_time IP1 IP2 IP3 field2 4/8/2019 23:16 1.1.1.1 2.3.4.5 6.7.8.9 /ccss/custom/etc /ccss/custom/etc1 4/8/2019 23:16 1.1.1.1 2.3.4.5 6.7.8.10 /ccss/custom/etc /ccss/custom/etc2 4/8/2019 23:16 1.1.1.1 2.3.4.5 6.7.8.11 /ccss/custom/etc /ccss/custom/etc3 </CODE></PRE> <HR /> <P>This is my query so far:</P> <PRE><CODE>index=abc sourcetype=def 1.1.1.1 |eval temp=split(field1,",+") | eval IP1=mvindex(temp,0) | eval IP2=mvindex(temp,1) | eval IP3=mvindex(temp,2) | stats values(field2) as field2 count(field1) as event_count by IP1 IP2 IP3 _time | where event_count &gt;=1000 </CODE></PRE> Wed, 10 Apr 2019 17:49:10 GMT superstarmd 2019-04-10T17:49:10Z https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404584#M117019 <P>When searching with this sample query, results show up like below</P> <P>index=abc sourcetype=def 1.1.1.1 </P> <P>For example, field1 has the following values:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6851i5DFC7699F7699CDB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>field2:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6852iBD11735754ECCBBD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Since each IP needs to be displayed, I wrote this query:</P> <PRE><CODE>|eval temp=split(field1,",+") | eval IP1=mvindex(temp,0) | eval IP2=mvindex(temp,1) | eval IP3=mvindex(temp,2) </CODE></PRE> <P>But there's also a requirement to search for total events &gt;= 1000 and still able to display the 3 IPs in a table along with values(field2). When I use count &gt;= 5, results are displayed, but when I use count &gt;= 1000, the results are not. For example: below is expected result</P> <PRE><CODE>_time IP1 IP2 IP3 field2 4/8/2019 23:16 1.1.1.1 2.3.4.5 6.7.8.9 /ccss/custom/etc /ccss/custom/etc1 4/8/2019 23:16 1.1.1.1 2.3.4.5 6.7.8.10 /ccss/custom/etc /ccss/custom/etc2 4/8/2019 23:16 1.1.1.1 2.3.4.5 6.7.8.11 /ccss/custom/etc /ccss/custom/etc3 </CODE></PRE> <HR /> <P>This is my query so far:</P> <PRE><CODE>index=abc sourcetype=def 1.1.1.1 |eval temp=split(field1,",+") | eval IP1=mvindex(temp,0) | eval IP2=mvindex(temp,1) | eval IP3=mvindex(temp,2) | stats values(field2) as field2 count(field1) as event_count by IP1 IP2 IP3 _time | where event_count &gt;=1000 </CODE></PRE> Wed, 10 Apr 2019 17:49:10 GMT https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404584#M117019 superstarmd 2019-04-10T17:49:10Z https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404585#M117020 <P>You may not be aware that all the <CODE>*stats</CODE> commands and functions are multivalue-aware/safe, so try this:</P> <PRE><CODE>index=abc sourcetype=def 1.1.1.1 |eval IP=split(field1,",+") | stats values(field2) AS field2 count(field1) AS event_count BY IP _time | where event_count &gt;=1000 </CODE></PRE> <P>I am skeptical that you need the <CODE>_time</CODE> there, but I am trusting you on that part. Perhaps this is more what you need?</P> <PRE><CODE>index=abc sourcetype=def 1.1.1.1 |eval IP=split(field1,",+") | stats count AS event_count BY IP field1 | stats list(*) AS * sum(event_count) AS total_event_count BY IP | where total_event_count &gt;=1000 </CODE></PRE> Thu, 11 Apr 2019 00:06:03 GMT https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404585#M117020 woodcock 2019-04-11T00:06:03Z https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404586#M117021 <P>I still got the "No results found." message even though there are more than 1000 events found..When I lowered it to 5 I got some results.</P> Thu, 11 Apr 2019 12:51:29 GMT https://community.splunk.com/t5/Splunk-Search/Increase-count-of-events-but-no-field-results-show-up/m-p/404586#M117021 superstarmd 2019-04-11T12:51:29Z