https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349592#M159559 <P>For each subject in the search sentence, the count number is displayed.<BR /> In addition to the information currently being displayed, I want to display the attached file name for each subject.</P> <P>The search sentence you are using is below.<BR /> ※ Partially omitted</P> <P>index=xxxxx<BR /> | lookup ～ommitted～<BR /> | stats count ～ommitted～ by subject</P> <P>Can I display the attached file name by adding it to the search sentence that is counting?</P> <P>-image-</P> <P>Subject | Number | attached file name | Number of Mail with Attachment</P> <P>AAAA | 100 | aaaa | 10<BR /> BBBB | 50 | none | 0<BR /> CCCC | 200 | cccc | 200</P> <P>In the current search searches, only the subject line and number of items are displayed.<BR /> *I want to display none if there is no attached file.</P> Thu, 03 Aug 2017 05:12:32 GMT honobe 2017-08-03T05:12:32Z https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349592#M159559 <P>For each subject in the search sentence, the count number is displayed.<BR /> In addition to the information currently being displayed, I want to display the attached file name for each subject.</P> <P>The search sentence you are using is below.<BR /> ※ Partially omitted</P> <P>index=xxxxx<BR /> | lookup ～ommitted～<BR /> | stats count ～ommitted～ by subject</P> <P>Can I display the attached file name by adding it to the search sentence that is counting?</P> <P>-image-</P> <P>Subject | Number | attached file name | Number of Mail with Attachment</P> <P>AAAA | 100 | aaaa | 10<BR /> BBBB | 50 | none | 0<BR /> CCCC | 200 | cccc | 200</P> <P>In the current search searches, only the subject line and number of items are displayed.<BR /> *I want to display none if there is no attached file.</P> Thu, 03 Aug 2017 05:12:32 GMT https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349592#M159559 honobe 2017-08-03T05:12:32Z https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349593#M159560 <P>try...<BR /> | eval filename=coalesce(filename, "none")<BR /> | stats count values(filename) as filename by subject</P> Thu, 03 Aug 2017 20:01:09 GMT https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349593#M159560 DalJeanis 2017-08-03T20:01:09Z https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349594#M159561 <P>Thanks to your answer, I was able to solve the problem.</P> Fri, 04 Aug 2017 00:57:16 GMT https://community.splunk.com/t5/Splunk-Search/Combining-search-statements/m-p/349594#M159561 honobe 2017-08-04T00:57:16Z