https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653212#M225747 <P>Hi,</P><P>&nbsp;</P><P>i have the following case,</P><P>An operation has multiple events and every event of an operation is related by field PushId.</P><P>Below the events of one operation (underlined necessary fields)</P><LI-CODE lang="markup">13:14:03,838;04-08-2023 13:14:03.838;;SMS;33786543;iOS;001452c7-9f80-4215-87b5-a20b00e3c4fd;;;0;OK 13:09:31,150;04-08-2023 13:09:31.133;;SEND_PUSH_APNS;33786543;ios;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body.;17;OK;null 13:09:31,131;04-08-2023 13:09:31.102;;NON_SILENT_PUSH;33786543;;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body..;29;OK;null 01:23:52,652;04-08-2023 01:23:52.519;10.129.150.86;SEND_PUSH_REQUEST;33786543;ios;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body.;133;OK;29a6c9e8-d731-47b4-81b9-6748596c4138</LI-CODE><P><SPAN class="">I want to count by every PushID (001452c7-9f80-4215-87b5-a20b00e3c4fd in this case) the Number of requests equal to&nbsp;SEND_PUSH_REQUEST, ACK and SMS.</SPAN></P><P><SPAN class="">With this counts do a table including Title and Body,</SPAN></P><P><SPAN class="">For this particular case, should look like,</SPAN></P><LI-CODE lang="markup">Title | Body | Requests (SEND_PUSH_REQUEST) | ACK | SMS</LI-CODE><P><SPAN class="">This is a Title | This is the Body | 1 | 0 | 1</SPAN></P><P>&nbsp;</P><P><SPAN class="">for counts i'm ok with below queries</SPAN></P><LI-CODE lang="markup">index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId, Title, Body | table Title Body request ack sms</LI-CODE><P><SPAN class="">the problem is isn't show the correct count for SMS because is Title and Body is not on all events</SPAN></P><LI-CODE lang="markup">index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId | table Title Body request ack sms</LI-CODE><P><SPAN class="">With this query, counts are ok but table is not showing Title and Body.</SPAN></P><P>&nbsp;</P><P><SPAN class="">I'm stuck here and i don't know how to relate the counts with fields Title and Body on a table.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thank you</SPAN></P> Fri, 04 Aug 2023 17:28:59 GMT lemospt 2023-08-04T17:28:59Z https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653212#M225747 <P>Hi,</P><P>&nbsp;</P><P>i have the following case,</P><P>An operation has multiple events and every event of an operation is related by field PushId.</P><P>Below the events of one operation (underlined necessary fields)</P><LI-CODE lang="markup">13:14:03,838;04-08-2023 13:14:03.838;;SMS;33786543;iOS;001452c7-9f80-4215-87b5-a20b00e3c4fd;;;0;OK 13:09:31,150;04-08-2023 13:09:31.133;;SEND_PUSH_APNS;33786543;ios;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body.;17;OK;null 13:09:31,131;04-08-2023 13:09:31.102;;NON_SILENT_PUSH;33786543;;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body..;29;OK;null 01:23:52,652;04-08-2023 01:23:52.519;10.129.150.86;SEND_PUSH_REQUEST;33786543;ios;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body.;133;OK;29a6c9e8-d731-47b4-81b9-6748596c4138</LI-CODE><P><SPAN class="">I want to count by every PushID (001452c7-9f80-4215-87b5-a20b00e3c4fd in this case) the Number of requests equal to&nbsp;SEND_PUSH_REQUEST, ACK and SMS.</SPAN></P><P><SPAN class="">With this counts do a table including Title and Body,</SPAN></P><P><SPAN class="">For this particular case, should look like,</SPAN></P><LI-CODE lang="markup">Title | Body | Requests (SEND_PUSH_REQUEST) | ACK | SMS</LI-CODE><P><SPAN class="">This is a Title | This is the Body | 1 | 0 | 1</SPAN></P><P>&nbsp;</P><P><SPAN class="">for counts i'm ok with below queries</SPAN></P><LI-CODE lang="markup">index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId, Title, Body | table Title Body request ack sms</LI-CODE><P><SPAN class="">the problem is isn't show the correct count for SMS because is Title and Body is not on all events</SPAN></P><LI-CODE lang="markup">index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId | table Title Body request ack sms</LI-CODE><P><SPAN class="">With this query, counts are ok but table is not showing Title and Body.</SPAN></P><P>&nbsp;</P><P><SPAN class="">I'm stuck here and i don't know how to relate the counts with fields Title and Body on a table.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thank you</SPAN></P> Fri, 04 Aug 2023 17:28:59 GMT https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653212#M225747 lemospt 2023-08-04T17:28:59Z https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653214#M225749 <LI-CODE lang="markup">index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | eventstats vlaues(Title) as Title values(Body) as Body by PushId | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId Title Body | table Title Body request ack sms</LI-CODE> Fri, 04 Aug 2023 13:38:47 GMT https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653214#M225749 ITWhisperer 2023-08-04T13:38:47Z https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653248#M225763 <P>That's it&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>, Thanks a lot for the help.</P> Fri, 04 Aug 2023 17:11:14 GMT https://community.splunk.com/t5/Splunk-Search/table-with-fields-and-count-related-by-another-field/m-p/653248#M225763 lemospt 2023-08-04T17:11:14Z