https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602094#M209573 <P>No sir, that didn't work. It still gave me a much higher number for the total calls.</P><P>Adding more details, this is how the message looks like:</P><P>[11:06:04 INF 7166e33f-bde7-49dd-aa72-523d8e7501a9] Server|Transaction|POST|aa72-523d8e7501a9|c1|200|0.2|127.0.0.1|GetProduct|ElasticSearch|3|/v1/getproduct</P><LI-CODE lang="markup">index=nprod sourcetype="xxxxxx" "Server|Transaction" | rex field=msg "Transaction\|[\"]?(?P&lt;verb&gt;[\w]*)[\"]?\|[\"]?(?P&lt;correlationId&gt;[a-zA-Z0-9-]*)[\"]?\|[\"]?(?P&lt;clientName&gt;[\w]*)[\"]?\|(?P&lt;httpStatus&gt;\d*)\|(?P&lt;timeTaken&gt;[\d.]*)\|[\"]?(?P&lt;clientIP&gt;[\d.]*)[\"]?\|[\"]?(?P&lt;apiMethod&gt;[\w]*)[\"]?\|[\"]?(?P&lt;sourceSystem&gt;[\w]*)[\"]?\|(?:(?P&lt;version&gt;[\d]+)?)" | eval version=coalesce(version, "N/A") | table clientName, apiMethod, sourceSystem, httpStatus, version, timeTaken | stats count as totalCalls avg(timeTaken) as avgTimeTaken by clientName, apiMethod, sourceSystem, httpStatus, version | eval avgTimeTaken=round(avgTimeTaken, 2)</LI-CODE><P>The version is an optional field so I'm coalescing it to 'NA' when it's not present.</P> Thu, 16 Jun 2022 14:15:50 GMT nmarun 2022-06-16T14:15:50Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602076#M209561 <P>Hi,</P> <P>I'm able to get the response in a tabular format using the command:</P> <P>table clientName, apiMethod, sourceSystem, httpStatus, version, timeTaken</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nmarun_0-1655385037486.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20131i2A1190F06002E190/image-size/medium?v=v2&amp;px=400" role="button" title="nmarun_0-1655385037486.png" alt="nmarun_0-1655385037486.png" /></span></P> <P>What I want is to do some aggregation on them and get the result like:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nmarun_1-1655385094069.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20132iF06E02F0B6B6121E/image-size/medium?v=v2&amp;px=400" role="button" title="nmarun_1-1655385094069.png" alt="nmarun_1-1655385094069.png" /></span></P> <P>Basically, group by clientName, apiMethod, sourceSystem, httpStatus, and version to get the total calls and the average time.</P> <P>The below command is clearly misleading:</P> <P>stats count(clientName) as TotalCalls, avg(timeTaken) as avgTimeTakenS by clientName, apiMethod, sourceSystem, httpStatus, version</P> <P>Please help.</P> <P>Thanks,</P> <P>Arun</P> Tue, 21 Jun 2022 15:46:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602076#M209561 nmarun 2022-06-21T15:46:15Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602088#M209569 <P>Give this a try</P><LI-CODE lang="markup">Your base search | table clientName, apiMethod, sourceSystem, httpStatus, version, timeTaken | stats count as totalCalls avg(timeTaken) as avgTimeTaken by clientName apiMethod sourceSystem httpStatus version</LI-CODE> Thu, 16 Jun 2022 13:57:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602088#M209569 somesoni2 2022-06-16T13:57:37Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602094#M209573 <P>No sir, that didn't work. It still gave me a much higher number for the total calls.</P><P>Adding more details, this is how the message looks like:</P><P>[11:06:04 INF 7166e33f-bde7-49dd-aa72-523d8e7501a9] Server|Transaction|POST|aa72-523d8e7501a9|c1|200|0.2|127.0.0.1|GetProduct|ElasticSearch|3|/v1/getproduct</P><LI-CODE lang="markup">index=nprod sourcetype="xxxxxx" "Server|Transaction" | rex field=msg "Transaction\|[\"]?(?P&lt;verb&gt;[\w]*)[\"]?\|[\"]?(?P&lt;correlationId&gt;[a-zA-Z0-9-]*)[\"]?\|[\"]?(?P&lt;clientName&gt;[\w]*)[\"]?\|(?P&lt;httpStatus&gt;\d*)\|(?P&lt;timeTaken&gt;[\d.]*)\|[\"]?(?P&lt;clientIP&gt;[\d.]*)[\"]?\|[\"]?(?P&lt;apiMethod&gt;[\w]*)[\"]?\|[\"]?(?P&lt;sourceSystem&gt;[\w]*)[\"]?\|(?:(?P&lt;version&gt;[\d]+)?)" | eval version=coalesce(version, "N/A") | table clientName, apiMethod, sourceSystem, httpStatus, version, timeTaken | stats count as totalCalls avg(timeTaken) as avgTimeTaken by clientName, apiMethod, sourceSystem, httpStatus, version | eval avgTimeTaken=round(avgTimeTaken, 2)</LI-CODE><P>The version is an optional field so I'm coalescing it to 'NA' when it's not present.</P> Thu, 16 Jun 2022 14:15:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602094#M209573 nmarun 2022-06-16T14:15:50Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602101#M209577 <P>Given that clientIP and correlationId both could be zero length, they could still appear in your numbers - could this account for the discrepancy?</P><P>If not, perhaps if you could reduce your search so you only have a small number of events with a discrepancy, and look at the actual events that are being included in the count to see if you can spot a pattern.</P> Thu, 16 Jun 2022 14:55:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602101#M209577 ITWhisperer 2022-06-16T14:55:43Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602102#M209578 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>,&nbsp;neither of those fields can be zero length, but I'll try your suggestion of limiting the fields and seeing which one breaks it.</P><P>Thanks,</P><P>Arun</P> Thu, 16 Jun 2022 14:59:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602102#M209578 nmarun 2022-06-16T14:59:59Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602105#M209580 <P>If they can't be zero length, use "+" instead of "*" - "+" means 1 or more, "*" means zero or more</P> Thu, 16 Jun 2022 15:10:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602105#M209580 ITWhisperer 2022-06-16T15:10:53Z https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602363#M209662 <P>I've sent these details to our internal Splunk team and am waiting for their response.</P><P>In the meantime, I can accept both your answers as the solution since you took the time to provide some assistance, or can wait till I hear back from my team.</P><P>Please advise.</P><P>Thanks,</P><P>Arun</P> Mon, 20 Jun 2022 06:29:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-over-multiple-fields-for-stats/m-p/602363#M209662 nmarun 2022-06-20T06:29:51Z