https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524860#M148068 <P>You can call multiple function in stats. Like this</P><P>&nbsp;</P><LI-CODE lang="markup">search foobar | stats values(ip) as ips_used dc(ips) as ips_count by user</LI-CODE> Thu, 15 Oct 2020 13:40:56 GMT somesoni2 2020-10-15T13:40:56Z https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524849#M148065 <P>I have logs like this:</P><P>user=userA ip=1.1.1.1 ...<BR />user=userA ip=1.1.1.2 ...<BR />user=userB ip=1.1.2.1 ...<BR />user=userB ip=1.1.2.1 ...<BR />user=userC ip=1.1.3.1 ...<BR />user=userC ip=1.1.3.2 ...<BR />user=userC ip=1.1.3.3 ...</P><P>Now I want to have a list of all users with their IPs and the count of the different IPs.<BR /><BR />First I do this:</P><P>======<BR />search foobar<BR />| stats values(user) by ip<BR />======</P><P>Result is:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">userA</TD><TD width="50%">1.1.1.1<BR />1.1.1.2</TD></TR><TR><TD width="50%">userB</TD><TD width="50%">1.1.2.1</TD></TR><TR><TD width="50%">userC</TD><TD width="50%">1.1.3.1<BR />1.1.3.2<BR />1.1.3.3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How do I count and display the IPs? It should look like this:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">userA</TD><TD width="33.333333333333336%">1.1.1.1<BR />1.1.1.2</TD><TD width="33.333333333333336%">2</TD></TR><TR><TD width="33.333333333333336%">userB</TD><TD width="33.333333333333336%">1.1.2.1</TD><TD width="33.333333333333336%">1</TD></TR><TR><TD width="33.333333333333336%">userC</TD><TD width="33.333333333333336%">1.1.3.1<BR />1.1.3.2<BR />1.1.3.3</TD><TD width="33.333333333333336%">&nbsp;3</TD></TR></TBODY></TABLE> Thu, 15 Oct 2020 13:14:21 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524849#M148065 dav_muel 2020-10-15T13:14:21Z https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524854#M148067 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227648">@dav_muel</a>&nbsp;,<BR /><BR />This should work:</P><LI-CODE lang="markup">search foobar | stats values(ip) as ips by user | eval ipcount=mvcount(ips)</LI-CODE><P>&nbsp;<BR />BR<BR />Ralph</P> Thu, 15 Oct 2020 13:33:00 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524854#M148067 rnowitzki 2020-10-15T13:33:00Z https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524860#M148068 <P>You can call multiple function in stats. Like this</P><P>&nbsp;</P><LI-CODE lang="markup">search foobar | stats values(ip) as ips_used dc(ips) as ips_count by user</LI-CODE> Thu, 15 Oct 2020 13:40:56 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524860#M148068 somesoni2 2020-10-15T13:40:56Z https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524862#M148069 <P>&nbsp;</P><LI-CODE lang="markup">base search | stats dc(ip) as IP_COUNT values(ip) as ip_list by User</LI-CODE><P>&nbsp;</P> Thu, 15 Oct 2020 13:50:23 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-of-grouped-key/m-p/524862#M148069 inventsekar 2020-10-15T13:50:23Z