https://community.splunk.com/t5/Splunk-Search/How-to-achieve-conditional-count-for-multivalue-field/m-p/646857#M223879 <P>Hi, I'm kind of new to Splunk and I was wondering if someone could help on this:</P> <P>What I'm trying to do is a timechart that counts by month, the number of hosts that had 3 or more lastlogons.</P> <P>&nbsp;</P> <P>So far this is what I have:</P> <P>index="assets" sourcetype="ldap:devices"<BR />| stats values(lastLogonTimestamp) as "LastLogon" by host<BR />| eval LastLogon_Count = mvcount(LastLogon)</P> <P>host LastLogon LastLogon_Count</P> <TABLE> <TBODY> <TR> <TD>Host1</TD> <TD>2023-06-10T14:05:35.849017Z</TD> <TD>1</TD> </TR> <TR> <TD>Host2</TD> <TD>2023-06-10T16:24:01.290211Z</TD> <TD>1</TD> </TR> <TR> <TD>Host3</TD> <TD> <DIV class="">2023-03-12T01:30:39.853238Z</DIV> <DIV class="">2023-03-22T12:01:18.877600Z</DIV> <DIV class="">2023-04-01T14:05:33.812544Z</DIV> <DIV class="">2023-04-11T15:34:16.462356Z</DIV> <DIV class="">2023-04-24T11:50:29.265116Z</DIV> <DIV class="">2023-05-04T12:34:50.229455Z</DIV> <DIV class="">2023-05-14T16:16:22.161436Z</DIV> <DIV class="">2023-05-29T00:57:30.342080Z</DIV> </TD> <TD>8</TD> </TR> <TR> <TD>Host4</TD> <TD>2023-06-10T16:23:14.783142Z</TD> <TD>1</TD> </TR> <TR> <TD>Host5</TD> <TD>2023-06-10T14:05:51.345719Z</TD> <TD>1</TD> </TR> <TR> <TD>Host6</TD> <TD> <DIV class="">2023-05-11T14:52:26.019471Z</DIV> <DIV class="">2023-05-21T21:22:27.404659Z</DIV> <DIV class="">2023-05-31T22:02:28.210643Z</DIV> <DIV class="">2023-06-12T00:59:03.121092Z</DIV> </TD> <TD>4</TD> </TR> <TR> <TD>Host7</TD> <TD> <DIV class="">2023-05-11T14:46:42.864582Z</DIV> <DIV class="">2023-05-21T18:02:34.820364Z</DIV> <DIV class="">2023-05-31T22:13:17.107118Z</DIV> <DIV class="">2023-06-11T00:32:24.358015Z</DIV> </TD> <TD>4</TD> </TR> <TR> <TD>Host8</TD> <TD>2023-06-10T14:05:04.812651Z</TD> <TD>1</TD> </TR> <TR> <TD>Host9</TD> <TD>2023-06-10T14:05:20.315748Z</TD> <TD>1</TD> </TR> <TR> <TD>Host10</TD> <TD>2023-06-10T14:06:37.952136Z</TD> <TD>1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>From this results I want to count on a timechart the hosts that had 3 or more lastlogon on the LastLogon_Count field.<BR />So let's say here the count should only be <STRONG>3 (Host3,Host6,Host7)</STRONG></P> <P>I tried doing this, but got no results:<BR /><BR />index="assets" sourcetype="ldap:devices"<BR />| stats values(lastLogonTimestamp) as "LastLogon" by host<BR />| eval LastLogon_Count = mvcount(LastLogon)<BR />| timechart span=1mon count(eval(if(LastLogon_Count &gt;= 3, 1,0))) by host</P> Thu, 15 Jun 2023 12:37:58 GMT luis_carlos 2023-06-15T12:37:58Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-conditional-count-for-multivalue-field/m-p/646857#M223879 <P>Hi, I'm kind of new to Splunk and I was wondering if someone could help on this:</P> <P>What I'm trying to do is a timechart that counts by month, the number of hosts that had 3 or more lastlogons.</P> <P>&nbsp;</P> <P>So far this is what I have:</P> <P>index="assets" sourcetype="ldap:devices"<BR />| stats values(lastLogonTimestamp) as "LastLogon" by host<BR />| eval LastLogon_Count = mvcount(LastLogon)</P> <P>host LastLogon LastLogon_Count</P> <TABLE> <TBODY> <TR> <TD>Host1</TD> <TD>2023-06-10T14:05:35.849017Z</TD> <TD>1</TD> </TR> <TR> <TD>Host2</TD> <TD>2023-06-10T16:24:01.290211Z</TD> <TD>1</TD> </TR> <TR> <TD>Host3</TD> <TD> <DIV class="">2023-03-12T01:30:39.853238Z</DIV> <DIV class="">2023-03-22T12:01:18.877600Z</DIV> <DIV class="">2023-04-01T14:05:33.812544Z</DIV> <DIV class="">2023-04-11T15:34:16.462356Z</DIV> <DIV class="">2023-04-24T11:50:29.265116Z</DIV> <DIV class="">2023-05-04T12:34:50.229455Z</DIV> <DIV class="">2023-05-14T16:16:22.161436Z</DIV> <DIV class="">2023-05-29T00:57:30.342080Z</DIV> </TD> <TD>8</TD> </TR> <TR> <TD>Host4</TD> <TD>2023-06-10T16:23:14.783142Z</TD> <TD>1</TD> </TR> <TR> <TD>Host5</TD> <TD>2023-06-10T14:05:51.345719Z</TD> <TD>1</TD> </TR> <TR> <TD>Host6</TD> <TD> <DIV class="">2023-05-11T14:52:26.019471Z</DIV> <DIV class="">2023-05-21T21:22:27.404659Z</DIV> <DIV class="">2023-05-31T22:02:28.210643Z</DIV> <DIV class="">2023-06-12T00:59:03.121092Z</DIV> </TD> <TD>4</TD> </TR> <TR> <TD>Host7</TD> <TD> <DIV class="">2023-05-11T14:46:42.864582Z</DIV> <DIV class="">2023-05-21T18:02:34.820364Z</DIV> <DIV class="">2023-05-31T22:13:17.107118Z</DIV> <DIV class="">2023-06-11T00:32:24.358015Z</DIV> </TD> <TD>4</TD> </TR> <TR> <TD>Host8</TD> <TD>2023-06-10T14:05:04.812651Z</TD> <TD>1</TD> </TR> <TR> <TD>Host9</TD> <TD>2023-06-10T14:05:20.315748Z</TD> <TD>1</TD> </TR> <TR> <TD>Host10</TD> <TD>2023-06-10T14:06:37.952136Z</TD> <TD>1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>From this results I want to count on a timechart the hosts that had 3 or more lastlogon on the LastLogon_Count field.<BR />So let's say here the count should only be <STRONG>3 (Host3,Host6,Host7)</STRONG></P> <P>I tried doing this, but got no results:<BR /><BR />index="assets" sourcetype="ldap:devices"<BR />| stats values(lastLogonTimestamp) as "LastLogon" by host<BR />| eval LastLogon_Count = mvcount(LastLogon)<BR />| timechart span=1mon count(eval(if(LastLogon_Count &gt;= 3, 1,0))) by host</P> Thu, 15 Jun 2023 12:37:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-conditional-count-for-multivalue-field/m-p/646857#M223879 luis_carlos 2023-06-15T12:37:58Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-conditional-count-for-multivalue-field/m-p/646872#M223884 <P>Try a simpler expression in the timechart command.</P><P>Either</P><LI-CODE lang="markup">index="assets" sourcetype="ldap:devices" | stats values(lastLogonTimestamp) as "LastLogon" by host | eval LastLogon_Count = mvcount(LastLogon) | where LastLogon_Count &gt;= 3 | timechart span=1mon count by host</LI-CODE><P><SPAN>Or</SPAN></P><LI-CODE lang="markup">index="assets" sourcetype="ldap:devices" | stats values(lastLogonTimestamp) as "LastLogon" by host | eval LastLogon_Count = mvcount(LastLogon) | eval too_many = if(LastLogon_Count &gt;= 3, 1, 0) | timechart span=1mon sum(too_many) by host</LI-CODE> Tue, 13 Jun 2023 21:03:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-conditional-count-for-multivalue-field/m-p/646872#M223884 richgalloway 2023-06-13T21:03:18Z