https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74146#M18638 <P>Try this:<BR /> index="access" SFO earliest=-20m latest=now | stats count by READER_NAME</P> <P>Keep in mind that by having SFO in your search you might only get events that contain SFO. </P> Tue, 25 Jun 2013 00:12:10 GMT adrianathome 2013-06-25T00:12:10Z https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74145#M18637 <P>I have a table called READER_NAME<BR /> this table has all info of reader</P> <P>I want to query with location(PHX,SFO,SLC,THF.TKO) and get result like this</P> <P>PHX:20<BR /> SFO:10<BR /> SLC:20<BR /> THF:100<BR /> TKO:10</P> <P>if I do this query</P> <P>index="access" SFO earliest=-20m latest=now | stats count(READER_NAME)</P> <P>I only get result on SFO(SFO:10)</P> <P>Any solution that I can get multiple counts with one query</P> <P>Thank you in advance </P> Mon, 24 Jun 2013 23:53:58 GMT https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74145#M18637 sati80 2013-06-24T23:53:58Z https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74146#M18638 <P>Try this:<BR /> index="access" SFO earliest=-20m latest=now | stats count by READER_NAME</P> <P>Keep in mind that by having SFO in your search you might only get events that contain SFO. </P> Tue, 25 Jun 2013 00:12:10 GMT https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74146#M18638 adrianathome 2013-06-25T00:12:10Z https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74147#M18639 <P>if I query<BR /> index="access" earliest=-20m latest=now | table READER_NAME</P> <P>It returns </P> <PRE><CODE>PHX DC STRWL SEOL VENDOR OFF 1 KUL.26 OFFICE NTH SEOL.37 S ELEV LOBBY ENT TPZ DC 1.1 LOBBY MANTRAP EXIT 1 PHX DC 2.2 S OFFICE ENT TPZ DC 1.1 LOBBY MANTRAP EXIT 1 SEOL.19 NORTH LOBBY ENT SEOL.36 N ELEV LOBBY ENT </CODE></PRE> <P>and I want to get count on each location</P> <P>if I try this query</P> <P>index="access" earliest=-20m latest=now | stats count(READER_NAME)</P> <P>it only returns count number</P> <P>Thank you,</P> Tue, 25 Jun 2013 00:16:34 GMT https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74147#M18639 sati80 2013-06-25T00:16:34Z https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74148#M18640 <P>I updated my answer. Check below.</P> Tue, 25 Jun 2013 00:24:06 GMT https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74148#M18640 adrianathome 2013-06-25T00:24:06Z https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74149#M18641 <P>I want to get all locations with one query <BR /> the result should be like this<BR /> PHX:20<BR /> SFO:10<BR /> SLC:20<BR /> THF:100<BR /> TKO:10</P> Tue, 25 Jun 2013 00:33:47 GMT https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74149#M18641 sati80 2013-06-25T00:33:47Z https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74150#M18642 <P>Try it without the SFO in your search. Then write some regex to extract the Codes (SFO, PHX, SLC). Without knowing your data, see below.</P> <P>index="access" earliest=-20m latest=now | rex field=READER_NAME (?<LOCATION>^\w*) | stats count by location</LOCATION></P> Tue, 25 Jun 2013 01:00:09 GMT https://community.splunk.com/t5/Splunk-Search/multiple-counts-in-one-table/m-p/74150#M18642 adrianathome 2013-06-25T01:00:09Z