https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481579#M134972 <P>If that is the case, you will need to show us a sample log.</P> Fri, 10 Jan 2020 18:45:05 GMT to4kawa 2020-01-10T18:45:05Z https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481576#M134969 <P>I am trying to get count of four fields [ company_name companyID CustomerId Provider] by each hour </P> <PRE><CODE>index=IndexName | bin span=1h _time | stats count by company_name companyID CustomerId Provider _time | sort 0 _time | eval results= 'companyName'+" : "+'companyID'+" : "+'CustomerId'+" : "+'Provider' | eval time=strftime(_time,"%m-%d-%Y--%H-%M-%S") | table results time count | xyseries results time count | rex field=results "(?&lt;companyName&gt;.+):(?&lt;companyID&gt;.+):(?&lt;CustomerId&gt;.+):(?&lt;Provider&gt;.+)" | table company_name companyID CustomerId Provider * | addcoltotals labelfield=company_name label="Total_count" | fields - count results </CODE></PRE> <P>I am able to get results like i need, But i am pretty sure this search isn't the good way to do it. </P> <P>Expected results:</P> <PRE><CODE>company_name companyID CustomerId Provider 12:00 01:00 02:00 03:00 04:00 --- Apple 1234 vgs31982 pro-1 10 20 30 40 10 google 567 kjf733 pro-2 11 11 33 83 20 Total_count 21 31 63 123 30 </CODE></PRE> <P>can some help me on this.</P> Thu, 09 Jan 2020 22:33:29 GMT https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481576#M134969 snallam123 2020-01-09T22:33:29Z https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481577#M134970 <PRE><CODE>index=IndexName | eval results= 'companyName'+" : "+'companyID'+" : "+'CustomerId'+" : "+'Provider' | timechart span=1h count by results | eval time=strftime(_time,"%H:%M") | table results time count | xyseries results time count | addcoltotals labelfield=results label="Total_count" | rex field=results "(?&lt;companyName&gt;.+):(?&lt;companyID&gt;.+):(?&lt;CustomerId&gt;.+):(?&lt;Provider&gt;.+)" | table company_name companyID CustomerId Provider * | fields - count results | fillnull company_name value="Total_count" </CODE></PRE> Fri, 10 Jan 2020 13:35:06 GMT https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481577#M134970 to4kawa 2020-01-10T13:35:06Z https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481578#M134971 <P>Actually my query is working fine, I am just looking for a different approach without combining all fields. <BR /> I can't accept this answer, I don't see any difference from what my question is..</P> Fri, 10 Jan 2020 16:10:03 GMT https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481578#M134971 snallam123 2020-01-10T16:10:03Z https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481579#M134972 <P>If that is the case, you will need to show us a sample log.</P> Fri, 10 Jan 2020 18:45:05 GMT https://community.splunk.com/t5/Splunk-Search/can-we-get-4-different-fields-count-per-hour/m-p/481579#M134972 to4kawa 2020-01-10T18:45:05Z