https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616918#M214400 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249848">@ghostrider</a>,</P><P>yes you can use more than one field in the stats command, so you could use:</P><LI-CODE lang="markup">BASE_SEARCH | rex field= _raw "Exception: (?&lt;Exception&gt;[^\.\&lt;]+)" | stats count as Count by TYPE "Exception"</LI-CODE><P>You have to put attention only to one thing: using two fields in the stats command you take only the events with both the fields, in other words, if one event has the TYPE field but not the TYPE field or opposite, the event isn't counted.</P><P>So you have to analyze your data to be sure that all the relevant events have both the fields.</P><P>If one of them could be missing, use fillnull command to assign a value (e.g. "-") when the value is missing.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 13 Oct 2022 06:32:22 GMT gcusello 2022-10-13T06:32:22Z https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616915#M214398 <P>I have&nbsp;below&nbsp;events/messages in my search result. There are 2 fields <STRONG>stack_trace</STRONG> and <STRONG>TYPE</STRONG> like below. I want to <STRONG>group the events and count</STRONG> them as shown below based on a particular text from <STRONG>stack_trace&nbsp;</STRONG>and <STRONG>TYPE</STRONG> field as below. Is it possible to group the messages based on 2 fields (<STRONG>TYPE,stack_trace</STRONG>)? I am using below query but I am stuck as to how to group by 2 fields.&nbsp;</P> <P><STRONG>Event 1</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{ TYPE: ABCD stack_trace : com.abc.xyz.package.ExceptionName: Missing A. at random.package.w(DummyFile1:45) at random.package.x(DummyFile2:64) at random.package.y(DummyFile3:79) }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Event 2</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{ TYPE: XYZ stack_trace : com.abc.xyz.package.ExceptionName: Missing B. at random.package.w(DummyFile1:45) at random.package.x(DummyFile2:64) at random.package.y(DummyFile3:79) }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Expected Output</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">TYPE Exception Count ABCD Missing A 3 ABCD Missing B 4 XYZ Missing A 6 XYZ Missing B 1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Query I am using but incomplete&nbsp;<BR /><BR /></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">BASE_SEARCH | rex field= _raw "Exception: (?&lt;Exception&gt;[^\.\&lt;]+)" | stats count as Count by "Exception"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Actual Output</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">Exception Count Missing A 3 Missing B 4 Missing c 6</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 13 Oct 2022 14:25:18 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616915#M214398 ghostrider 2022-10-13T14:25:18Z https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616918#M214400 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249848">@ghostrider</a>,</P><P>yes you can use more than one field in the stats command, so you could use:</P><LI-CODE lang="markup">BASE_SEARCH | rex field= _raw "Exception: (?&lt;Exception&gt;[^\.\&lt;]+)" | stats count as Count by TYPE "Exception"</LI-CODE><P>You have to put attention only to one thing: using two fields in the stats command you take only the events with both the fields, in other words, if one event has the TYPE field but not the TYPE field or opposite, the event isn't counted.</P><P>So you have to analyze your data to be sure that all the relevant events have both the fields.</P><P>If one of them could be missing, use fillnull command to assign a value (e.g. "-") when the value is missing.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 13 Oct 2022 06:32:22 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616918#M214400 gcusello 2022-10-13T06:32:22Z https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616920#M214401 <P>Thanks!! I just ran the query, and it looks like it shows "null" in the final output when the TYPE fields is not present but stack_trace is present. Is it possible to replace the null with some string like "N/A" so that it looks cleaner.&nbsp;</P> Thu, 13 Oct 2022 06:42:55 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616920#M214401 ghostrider 2022-10-13T06:42:55Z https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616921#M214402 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249848">@ghostrider</a>,</P><P>as I said, you can use the fillnull command (<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull</A>)&nbsp;</P><LI-CODE lang="markup">BASE_SEARCH | rex field= _raw "Exception: (?&lt;Exception&gt;[^\.\&lt;]+)" | fillnull value="N/A" TYPE | stats count as Count by TYPE "Exception"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 13 Oct 2022 06:47:44 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-the-messages-based-on-2-fields-in-splunk/m-p/616921#M214402 gcusello 2022-10-13T06:47:44Z