https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625365#M217388 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252474">@villnooB</a>&nbsp;</P><P>can you try following qurey,&nbsp;highlight lines are are newly added&nbsp;</P><P><SPAN>| convert timeformat="%F %H:%M" ctime(zone) as ctime</SPAN><BR /><SPAN>| stats count by user fullname country ctime location<BR /><STRONG>| eval Filter=if(location="Office","Yes","NO")</STRONG><BR /></SPAN><STRONG>| search&nbsp;Filter="Yes"</STRONG><BR /><SPAN>| rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country"</SPAN><BR /><SPAN>| fields - count</SPAN><BR /><SPAN>| sort 0 NetworkID<BR />|&nbsp;</SPAN></P> Wed, 28 Dec 2022 05:06:55 GMT SanjayReddy 2022-12-28T05:06:55Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625356#M217386 <P>Hi guys,</P> <P>Can you please help me , I am trying to create a query in which it shows if a user is in&nbsp; a different location in the sameday it will only prioritize one of it. please see below</P> <LI-CODE lang="markup">| convert timeformat="%F %H:%M" ctime(zone) as ctime | stats count by user fullname country ctime location | rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country" | fields - count | sort 0 NetworkID </LI-CODE> <P>This is what i am getting if I'm using the query above</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="25px">NetworkID</TD> <TD width="25%" height="25px">Name</TD> <TD width="12.5%" height="25px">Country</TD> <TD width="12.5%" height="25px">DateStamp</TD> <TD width="25%" height="25px">Location</TD> </TR> <TR> <TD width="25%" height="47px">userA</TD> <TD width="25%" height="47px">A Sample</TD> <TD width="12.5%" height="47px">Spain</TD> <TD width="12.5%" height="47px">12-26-2022</TD> <TD width="25%" height="47px">Office</TD> </TR> <TR> <TD width="25%" height="47px"><STRONG>userA</STRONG></TD> <TD width="25%" height="47px"><STRONG>A Sample</STRONG></TD> <TD width="12.5%" height="47px"><STRONG>Spain</STRONG></TD> <TD width="12.5%" height="47px"><STRONG>12-27-2022</STRONG></TD> <TD width="25%" height="47px"><STRONG>Office</STRONG></TD> </TR> <TR> <TD height="47px"><STRONG>userA</STRONG></TD> <TD height="47px"><STRONG>A Sample</STRONG></TD> <TD height="47px"><STRONG>Spain</STRONG></TD> <TD height="47px"><STRONG>12-27-2022</STRONG></TD> <TD height="47px"><STRONG>Home</STRONG></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>and this is what I am trying to get that If it's in the same day it will only Select the office</P> <TABLE border="1"> <TBODY> <TR> <TD width="25%" height="25px">NetworkID</TD> <TD width="25%" height="25px">Name</TD> <TD width="12.5%" height="25px">Country</TD> <TD width="12.5%" height="25px">DateStamp</TD> <TD width="25%" height="25px">Location</TD> </TR> <TR> <TD width="25%" height="47px">userA</TD> <TD width="25%" height="47px">A Sample</TD> <TD width="12.5%" height="47px">Spain</TD> <TD width="12.5%" height="47px">12-26-2022</TD> <TD width="25%" height="47px">Office</TD> </TR> <TR> <TD width="25%" height="47px"><STRONG>userA</STRONG></TD> <TD width="25%" height="47px"><STRONG>A Sample</STRONG></TD> <TD width="12.5%" height="47px"><STRONG>Spain</STRONG></TD> <TD width="12.5%" height="47px"><STRONG>12-27-2022</STRONG></TD> <TD width="25%" height="47px"><STRONG>Office</STRONG></TD> </TR> </TBODY> </TABLE> <P>Thank you in advance</P> Thu, 29 Dec 2022 04:17:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625356#M217386 villnooB 2022-12-29T04:17:58Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625365#M217388 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252474">@villnooB</a>&nbsp;</P><P>can you try following qurey,&nbsp;highlight lines are are newly added&nbsp;</P><P><SPAN>| convert timeformat="%F %H:%M" ctime(zone) as ctime</SPAN><BR /><SPAN>| stats count by user fullname country ctime location<BR /><STRONG>| eval Filter=if(location="Office","Yes","NO")</STRONG><BR /></SPAN><STRONG>| search&nbsp;Filter="Yes"</STRONG><BR /><SPAN>| rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country"</SPAN><BR /><SPAN>| fields - count</SPAN><BR /><SPAN>| sort 0 NetworkID<BR />|&nbsp;</SPAN></P> Wed, 28 Dec 2022 05:06:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625365#M217388 SanjayReddy 2022-12-28T05:06:55Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625384#M217393 <LI-CODE lang="markup">| convert timeformat="%F %H:%M" ctime(zone) as ctime | stats count values(location) as location by user fullname country ctime | rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country" | fields - count | eval Location=if(isnotnull(mvfind(Location, "Office")), "Office", "Home") | sort 0 NetworkID</LI-CODE> Wed, 28 Dec 2022 07:55:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625384#M217393 ITWhisperer 2022-12-28T07:55:38Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625386#M217394 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252474">@villnooB</a>&nbsp;<BR /><BR /><SPAN>After rename, add the below logic</SPAN></P><P><BR /><SPAN>| eventstats count as multiple by DateStamp Name</SPAN><BR /><SPAN>| eval valid=if(multiple&gt;1 AND Location="Home","NO","YES")</SPAN><BR /><SPAN>| search valid="YES"<BR /></SPAN>|fields - count multiple valid</P><P>If this helps, karma would be appreciated.</P><P>Thanks,</P><P>Manasa</P> Wed, 28 Dec 2022 08:05:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625386#M217394 Manasa_401 2022-12-28T08:05:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625414#M217399 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<BR /><BR />Thank you very much</P> Wed, 28 Dec 2022 12:10:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625414#M217399 villnooB 2022-12-28T12:10:20Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625415#M217400 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/251844">@Manasa_401</a>&nbsp;,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236694">@SanjayReddy</a>&nbsp;<BR /><BR />Thank you very much for the help</P> Wed, 28 Dec 2022 12:11:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-2-different-rows-using-count/m-p/625415#M217400 villnooB 2022-12-28T12:11:12Z