https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489249#M136671 <P>I have firewall logs where the field "user" has multiple user id's including guest and unknown. I need to count all the events with user guest and unknown then create a table where one column will provide the result, name the column as unauthenticated . The other column should display all other users with the field name authenticated. Each row should also display the firewall name.</P> <P>the table should display like this.<BR /> firewall |authenticated|unauthenticated<BR /> firewall1 | 100 | 35 <BR /> firewall2 | 75 | 20<BR /> firewall3 | 65 |11</P> <P>right now i can do this by doing 2 searches but it is displayed on 2 tables</P> <P>ex. index=fw sourcetype=auth user=unknown AND user=guest | stats count by firewall<BR /> index=fw sourcetype=auth user!=unknown AND user!=guest | stats count by firewall</P> Mon, 20 Jan 2020 11:45:04 GMT d4rk_sp1d3r 2020-01-20T11:45:04Z https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489249#M136671 <P>I have firewall logs where the field "user" has multiple user id's including guest and unknown. I need to count all the events with user guest and unknown then create a table where one column will provide the result, name the column as unauthenticated . The other column should display all other users with the field name authenticated. Each row should also display the firewall name.</P> <P>the table should display like this.<BR /> firewall |authenticated|unauthenticated<BR /> firewall1 | 100 | 35 <BR /> firewall2 | 75 | 20<BR /> firewall3 | 65 |11</P> <P>right now i can do this by doing 2 searches but it is displayed on 2 tables</P> <P>ex. index=fw sourcetype=auth user=unknown AND user=guest | stats count by firewall<BR /> index=fw sourcetype=auth user!=unknown AND user!=guest | stats count by firewall</P> Mon, 20 Jan 2020 11:45:04 GMT https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489249#M136671 d4rk_sp1d3r 2020-01-20T11:45:04Z https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489250#M136672 <P>The first query might have a typo in it. It's not possible for the 'user' field to be both "unknown" and "guest" at the same time.</P> Mon, 20 Jan 2020 13:55:13 GMT https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489250#M136672 richgalloway 2020-01-20T13:55:13Z https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489251#M136673 <P>Try like this</P> <PRE><CODE> index=fw sourcetype=auth | eval type=if(user="unknown" OR user="guest", "unauthenticated", "authenticated") | chart count by firewall type </CODE></PRE> Mon, 20 Jan 2020 17:25:01 GMT https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489251#M136673 somesoni2 2020-01-20T17:25:01Z https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489252#M136674 <P>that's not exactly the search i used so the spelling is not a concern. just want everyone to understand the question. the field user has different user id's in it. guest, unknown, user1, user2, so on and so fourth.</P> Tue, 21 Jan 2020 03:03:49 GMT https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489252#M136674 d4rk_sp1d3r 2020-01-21T03:03:49Z https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489253#M136675 <P>this worked for me. thanks alot!</P> Tue, 21 Jan 2020 03:04:45 GMT https://community.splunk.com/t5/Splunk-Search/create-a-table-with-one-column-will-display-some-items-on-one/m-p/489253#M136675 d4rk_sp1d3r 2020-01-21T03:04:45Z