https://community.splunk.com/t5/Splunk-Search/group-by-field-values/m-p/130410#M184537 <P>Hi! I'm a new user and have begun using this awesome tool. I've got a question about how to group things, below.<BR /> Suppose I have a log file that has 2 options for the field host: host-a, host-b and 2 different users. The users are turned into a field by using the rex filed=_raw command.</P> <P>This command will tells how many times each user has logged on:</P> <PRE><CODE>index=spss earliest=-25h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count by user </CODE></PRE> <P>This command will tells how many times each user has logged into each server</P> <PRE><CODE>index=spss earliest=-25h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count by user host </CODE></PRE> <P>It gives an output that looks something like the following:</P> <P>user..........host..........count</P> <P>user1........host-a..........2</P> <P>user2........host-b..........5</P> <P>user2........host-a..........3</P> <P>How can I modify the post to get a unique list of how many people have logged onto each host e.g.</P> <P>host..........count</P> <P>host-a............2</P> <P>host-b............1</P> <P>I essentially want to group by user, but am not sure of how to do that. Thanks in advance!</P> Thu, 18 Sep 2014 13:39:21 GMT Splunkster45 2014-09-18T13:39:21Z https://community.splunk.com/t5/Splunk-Search/group-by-field-values/m-p/130410#M184537 <P>Hi! I'm a new user and have begun using this awesome tool. I've got a question about how to group things, below.<BR /> Suppose I have a log file that has 2 options for the field host: host-a, host-b and 2 different users. The users are turned into a field by using the rex filed=_raw command.</P> <P>This command will tells how many times each user has logged on:</P> <PRE><CODE>index=spss earliest=-25h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count by user </CODE></PRE> <P>This command will tells how many times each user has logged into each server</P> <PRE><CODE>index=spss earliest=-25h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count by user host </CODE></PRE> <P>It gives an output that looks something like the following:</P> <P>user..........host..........count</P> <P>user1........host-a..........2</P> <P>user2........host-b..........5</P> <P>user2........host-a..........3</P> <P>How can I modify the post to get a unique list of how many people have logged onto each host e.g.</P> <P>host..........count</P> <P>host-a............2</P> <P>host-b............1</P> <P>I essentially want to group by user, but am not sure of how to do that. Thanks in advance!</P> Thu, 18 Sep 2014 13:39:21 GMT https://community.splunk.com/t5/Splunk-Search/group-by-field-values/m-p/130410#M184537 Splunkster45 2014-09-18T13:39:21Z https://community.splunk.com/t5/Splunk-Search/group-by-field-values/m-p/130411#M184538 <P>Welcome Splunkster45,</P> <P>try this:</P> <PRE><CODE>index=spss earliest=-25h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count(user) AS count by host </CODE></PRE> <P>hope this helps ...</P> <P>cheers, MuS</P> Thu, 18 Sep 2014 13:43:41 GMT https://community.splunk.com/t5/Splunk-Search/group-by-field-values/m-p/130411#M184538 MuS 2014-09-18T13:43:41Z