https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88461#M22633 <P>here is your original issue:<BR /> <A href="http://answers.splunk.com/questions/8862/new-user-trying-to-work-out-a-report">http://answers.splunk.com/questions/8862/new-user-trying-to-work-out-a-report</A></P> Sat, 13 Nov 2010 04:14:46 GMT Genti 2010-11-13T04:14:46Z https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88460#M22632 <P>Appreciate the answer to my original question, but it leads me to a couple of additional issues:</P> <P>0) As I write this, it was suggested that I tag it or link it back to the original question, and I don't see how to do either of those things... Help??!</P> <P>1) The following query seems to work:</P> <PRE><CODE>index="netcool" | stats count by tgtHostname, supportGroup | where count &gt; 50 | stats count(tgtHostname) by supportGroup </CODE></PRE> <P>This produces a list of support groups and a column which counts the number of hosts that have 50+ events associated with them. I can create a pie chart report out of this. So far so good...</P> <P>The original suggested query was this:</P> <PRE><CODE>[Search string] | stats count as EventCount by host, SupportGroup | where count &gt; 100 | stats count(host) by SupportGroup </CODE></PRE> <P>and my first question is - what does the 'as EventCount' mean, and is that supposed to be literal text or does EventCount correspond to one of my event columns? When I include that text, the query simply does nothing...</P> <P>2) The query above generates 2 columns of data - I would like to display a third column, which would contain the sum total of all the events associated with the hosts in the given host group.</P> <P>So instead of </P> <P>SG_001 6<BR /> SG_002 4<BR /> SG_003 10 </P> <P>where the first row shows that support group SG_001 has 6 hosts with 50+ events, I'd like to generate</P> <P>SG_001 6 200<BR /> SG_002 4 1000<BR /> SG_003 10 900 </P> <P>where the first row shows that SG_001 has 6 hosts with 50+ events, and those 6 hosts have a total of 200 events associated with them...</P> <P>I'm working out the query language, but I would appreciate any help you can give me on this as I get started...</P> <P>Thanks in advance,</P> <P>nbc</P> Sat, 13 Nov 2010 04:02:09 GMT https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88460#M22632 nbcohen 2010-11-13T04:02:09Z https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88461#M22633 <P>here is your original issue:<BR /> <A href="http://answers.splunk.com/questions/8862/new-user-trying-to-work-out-a-report">http://answers.splunk.com/questions/8862/new-user-trying-to-work-out-a-report</A></P> Sat, 13 Nov 2010 04:14:46 GMT https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88461#M22633 Genti 2010-11-13T04:14:46Z https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88462#M22634 <P>When you do a | stats count as EventCount it will rename count to EventCount. </P> <P>Believe that search should have looked like this to work:</P> <PRE><CODE>[Search string] | stats count as EventCount by host, SupportGroup | where EventCount &gt; 100 | stats count(host) by SupportGroup </CODE></PRE> <P>If the rename to EventCount was not there it would have worked the first time. Could have been a typo. </P> <P>Travis.</P> Sat, 13 Nov 2010 04:44:42 GMT https://community.splunk.com/t5/Splunk-Search/New-user-trying-to-work-out-a-report-Followup-questions/m-p/88462#M22634 thall79 2010-11-13T04:44:42Z