topic Re: Need Help Creating a Nested Stats Table and Grouping by Multiple Values in Splunk Search https://community.splunk.com/t5/Splunk-Search/Need-Help-Creating-a-Nested-Stats-Table-and-Grouping-by-Multiple/m-p/569136#M198358 <P>Figured it out, pretty simple but I was doing the operations in the wrong order originally.</P><P>&nbsp;</P><LI-CODE lang="markup">index="my_custom_index" "properties.requestUri"="http*://my.customwebpage.com:443/api/NotARealEndpoint/*/CoolCars/*" AND NOT "properties.clientIp"="127.0.*.*" AND NOT properties.httpStatusCode=401 |rex field="properties.requestUri" "http(.):\/\/my.customwebpage.com:(\d+)\/api\/NotARealEndpoint\/(?&lt;uniqueHash&gt;[a-zA-z0-9].+[^\/])\/CoolCars\/(?&lt;CarID&gt;[\d].+)" | stats count by properties.clientIp, uniqueHash, CarID | stats list(uniqueHash) as UniqueHash, list(CarID) as CarID, list(count) as Count by properties.clientIp | append [ search index="my_custom_index" "properties.requestUri"="http*://my.customwebpage.com:443/api/NotARealEndpoint/*/CoolCars/*" AND NOT "properties.clientIp"="127.0.*.*" |rex field="properties.requestUri" "http(.):\/\/my.customwebpage.com:(\d+)\/api\/NotARealEndpoint\/(?&lt;uniqueHash&gt;[a-zA-z0-9].+[^\/])\/CoolCars\/(?&lt;CarID&gt;[\d].+)" | stats count by uniqueHash,CarID ] | table properties.clientIp, UniqueHash, CarID, Count</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 30 Sep 2021 12:59:26 GMT TheColorBlack 2021-09-30T12:59:26Z Need Help Creating a Nested Stats Table and Grouping by Multiple Values https://community.splunk.com/t5/Splunk-Search/Need-Help-Creating-a-Nested-Stats-Table-and-Grouping-by-Multiple/m-p/568986#M198313 <P>Hey guys,</P><P>&nbsp;</P><P>I need some quick help creating a nested stats table and grouping by multiple values within that table. My data contains the following data points that I am trying to correlate / visualize: Client IP Address, Unique Hash ID, Unique Document ID, and the count that shows the number of times an IP Address accessed a Unique Hash ID, and Doc ID.</P><P>&nbsp;</P><P>An example data set is:</P><P>&nbsp;</P><P>192.168.1.1 (client IP), abcdefg1 (hash 1),&nbsp; 12948(DocID1), 129584(DocID2), 1029384(DocID3)</P><P>192.168.1.1(Client IP), abcdefg2 (hash 2), 10294 (DocID 1),</P><P>192.168.1.5(Client IP), abcdefg1 (hash1), 12948(DocID1), 1029484(DocID2)</P><P>&nbsp;</P><P>I'm looking to create the following table to help visualize these relationships<BR /><BR />|</P><TABLE border="1" width="100%"><TBODY><TR><TD width="16.666666666666668%">Client IP</TD><TD width="16.666666666666668%">Unique Hash</TD><TD width="16.666666666666668%">Document ID</TD><TD width="16.666666666666668%">Count</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD></TR><TR><TD width="16.666666666666668%">192.168.1.1</TD><TD width="16.666666666666668%">abcdefg1</TD><TD width="16.666666666666668%">12948</TD><TD width="16.666666666666668%">5</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD></TR><TR><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>129584</TD><TD>10</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>1029384</TD><TD>15</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>&nbsp;</TD><TD>abcdefg2</TD><TD>12948</TD><TD>2</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">1029484</TD><TD width="16.666666666666668%">3</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD></TR><TR><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD></TR><TR><TD>192.168.1.5</TD><TD>abcdefg1</TD><TD>12948</TD><TD>1</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>1029484</TD><TD>4</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I've created nested tables before but I'm really stumping myself on this one. Any advice?</P> Wed, 29 Sep 2021 18:18:19 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-Creating-a-Nested-Stats-Table-and-Grouping-by-Multiple/m-p/568986#M198313 TheColorBlack 2021-09-29T18:18:19Z Re: Need Help Creating a Nested Stats Table and Grouping by Multiple Values https://community.splunk.com/t5/Splunk-Search/Need-Help-Creating-a-Nested-Stats-Table-and-Grouping-by-Multiple/m-p/569136#M198358 <P>Figured it out, pretty simple but I was doing the operations in the wrong order originally.</P><P>&nbsp;</P><LI-CODE lang="markup">index="my_custom_index" "properties.requestUri"="http*://my.customwebpage.com:443/api/NotARealEndpoint/*/CoolCars/*" AND NOT "properties.clientIp"="127.0.*.*" AND NOT properties.httpStatusCode=401 |rex field="properties.requestUri" "http(.):\/\/my.customwebpage.com:(\d+)\/api\/NotARealEndpoint\/(?&lt;uniqueHash&gt;[a-zA-z0-9].+[^\/])\/CoolCars\/(?&lt;CarID&gt;[\d].+)" | stats count by properties.clientIp, uniqueHash, CarID | stats list(uniqueHash) as UniqueHash, list(CarID) as CarID, list(count) as Count by properties.clientIp | append [ search index="my_custom_index" "properties.requestUri"="http*://my.customwebpage.com:443/api/NotARealEndpoint/*/CoolCars/*" AND NOT "properties.clientIp"="127.0.*.*" |rex field="properties.requestUri" "http(.):\/\/my.customwebpage.com:(\d+)\/api\/NotARealEndpoint\/(?&lt;uniqueHash&gt;[a-zA-z0-9].+[^\/])\/CoolCars\/(?&lt;CarID&gt;[\d].+)" | stats count by uniqueHash,CarID ] | table properties.clientIp, UniqueHash, CarID, Count</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 30 Sep 2021 12:59:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-Creating-a-Nested-Stats-Table-and-Grouping-by-Multiple/m-p/569136#M198358 TheColorBlack 2021-09-30T12:59:26Z