https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376503#M171222 <P>the 'table list 'command does not seem to work when I use it as you describe</P> Thu, 16 May 2019 19:01:36 GMT Mike6960 2019-05-16T19:01:36Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376491#M171210 <P>In my search i use a couple of stats counts, the problem is that after these commands I miss other that I want to use. For example _time. I dont need a count for these fields so how can I make sure they are stille available later on in the search?</P> <P>My search is for example:</P> <P>index=* <BR /> "message.Origin"=blabla<BR /> source="something " <BR /> | stats count(eval('logger' ="test1")) as "example",<BR /> count(eval(logger ="test2)) as "example2" by ID</P> <P>After the stats I only have the fields, example, example2 and ID</P> Thu, 16 May 2019 11:13:04 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376491#M171210 Mike6960 2019-05-16T11:13:04Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376492#M171211 <P>use <CODE>eventstats</CODE></P> Thu, 16 May 2019 12:43:26 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376492#M171211 adonio 2019-05-16T12:43:26Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376493#M171212 <P>@adonio means replace <CODE>stats</CODE> with <CODE>eventstats</CODE> and fields won't be dropped.</P> Thu, 16 May 2019 13:11:27 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376493#M171212 richgalloway 2019-05-16T13:11:27Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376494#M171213 <P>Replace stats with eventstats. </P> <PRE><CODE>index=* "message.Origin"=blabla source="something " | eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID | table example1,example2,source,index,ID </CODE></PRE> <P>Note: Eventstats is not good if you are concerned about the performance. </P> Thu, 16 May 2019 14:38:57 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376494#M171213 preactivity 2019-05-16T14:38:57Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376495#M171214 <P>yes. eventstats keeps all fields available for next command.</P> Thu, 16 May 2019 17:46:54 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376495#M171214 iparitosh 2019-05-16T17:46:54Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376496#M171215 <P>but if I use eventstats i get all the events back. So also the ones that don't match the conditions in the evals. I only want the event that (for example) where logger= "test1"</P> Thu, 16 May 2019 18:07:14 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376496#M171215 Mike6960 2019-05-16T18:07:14Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376497#M171216 <P>but if I use eventstats i get all the events back. So also the ones that don't match the conditions in the evals. I only want the event that (for example) where logger= "test1"</P> Thu, 16 May 2019 18:08:12 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376497#M171216 Mike6960 2019-05-16T18:08:12Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376498#M171217 <P>Post event stats you can filter events with | search logger=“test1”</P> Thu, 16 May 2019 18:13:47 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376498#M171217 iparitosh 2019-05-16T18:13:47Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376499#M171218 <P>ok, I wonder why I should stats or eventstats at all...... I could just use the search= instead, every tme when I think I understand Splunk I get confused</P> Thu, 16 May 2019 18:20:19 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376499#M171218 Mike6960 2019-05-16T18:20:19Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376500#M171219 <P>Try to apply all searches at the first stage so that you will have less data for the computation.</P> <PRE><CODE> index=* "message.Origin"=blabla source="something " | search logger="test1" OR logger="test2" | eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID | table example1,example2,source,index,ID </CODE></PRE> Thu, 16 May 2019 18:23:10 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376500#M171219 preactivity 2019-05-16T18:23:10Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376501#M171220 <P>Thanks, but with the stats command I got one line per ID and the 'loggers' in columns next to it. With eventstats I get per logger one line. what I need is for every single ID just one line with the other fields in columns next to it</P> Thu, 16 May 2019 18:30:31 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376501#M171220 Mike6960 2019-05-16T18:30:31Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376502#M171221 <P>Try this.</P> <PRE><CODE>index=* "message.Origin"=blabla source="something " | eventstats count(eval('logger' ="test1")) as "example", count(eval(logger ="test2”)) as "example2" by ID | stats List(field1) as field1 List(field2) as field2... List(fieldN) as fieldN max(example) max(example2) by ID </CODE></PRE> Thu, 16 May 2019 18:40:21 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376502#M171221 iparitosh 2019-05-16T18:40:21Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376503#M171222 <P>the 'table list 'command does not seem to work when I use it as you describe</P> Thu, 16 May 2019 19:01:36 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376503#M171222 Mike6960 2019-05-16T19:01:36Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376504#M171223 <P>My bad it should be <BR /> ... | stats list(field_name)... by ID</P> <P>Edited my answer.</P> Thu, 16 May 2019 19:05:04 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376504#M171223 iparitosh 2019-05-16T19:05:04Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376505#M171224 <P>I tried stats list instead but it does not seem to get the results I want</P> Thu, 16 May 2019 19:06:08 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376505#M171224 Mike6960 2019-05-16T19:06:08Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376506#M171225 <P>Can you explain what is the issue and provide your query here?</P> Thu, 16 May 2019 19:08:38 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376506#M171225 iparitosh 2019-05-16T19:08:38Z https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376507#M171226 <P>Just add dedup after the eventstats.<BR /> index=* "message.Origin"=blabla source="something " <BR /> | search logger="test1" OR logger="test2"<BR /> | eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID<BR /> | dedup ID<BR /> | table example1,example2,source,index,ID</P> Thu, 16 May 2019 19:13:40 GMT https://community.splunk.com/t5/Splunk-Search/add-fields-after-a-stats-count/m-p/376507#M171226 preactivity 2019-05-16T19:13:40Z