https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92434#M23851 <P>Uh, I don't see how your query can result in that output. I don't even see a count field in that table?</P> Fri, 12 Apr 2013 18:02:24 GMT Ayn 2013-04-12T18:02:24Z https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92433#M23850 <P>I have a search that returns values in a table like this:</P> <TABLE> <TBODY><TR><TD>USER</TD><TD>TIME</TD><TD>IP</TD><TD>Location</TD></TR> <TR><TD>user1</TD><TD>time1</TD><TD>ip1</TD><TD>loc1</TD></TR> <TR><TD>user1</TD><TD>time2</TD><TD>ip1</TD><TD>loc1</TD></TR> <TR><TD>user2</TD><TD>time2</TD><TD>ip2</TD><TD>loc2</TD></TR> <TR><TD>user1</TD><TD>time3</TD><TD>ip3</TD><TD>loc1</TD></TR> <TR><TD>user3</TD><TD>time3</TD><TD>ip4</TD><TD>loc4</TD></TR> <TR><TD>user1</TD><TD>time4</TD><TD>ip4</TD><TD>loc1</TD></TR> </TBODY></TABLE> <P><BR /><BR /> I want to search by grouped User Counts so I tried something like this:<BR /> <BR /><BR /> ...| stats Count by User values(User) values(Time) values(IP) values (Location)<BR /><BR /> Which gives me:</P> <TABLE> <TBODY><TR><TD>USER</TD><TD>TIME</TD><TD>IP</TD><TD>Location</TD></TR> <TR><TD>user1</TD><TD>time1</TD><TD>ip1</TD><TD>loc1</TD></TR> <TR><TD></TD><TD>time2</TD><TD>ip3</TD><TD></TD></TR> <TR><TD></TD><TD>time3</TD><TD></TD><TD></TD></TR> <TR><TD></TD><TD></TD><TD></TD><TD></TD></TR> <TR><TD>user2</TD><TD>time2</TD><TD>ip2</TD><TD>loc2</TD></TR> <TR><TD>user3</TD><TD>time3</TD><TD>ip4</TD><TD>loc4</TD></TR> <TR><TD>user1</TD><TD>time4</TD><TD>ip4</TD><TD>loc1</TD></TR> </TBODY></TABLE> <P>What I'm really after is:</P> <TABLE> <TBODY><TR><TD>USER</TD><TD>TIME</TD><TD>IP</TD><TD>Location</TD></TR> <TR><TD>user1</TD><TD>time1</TD><TD>ip1</TD><TD>loc1</TD></TR> <TR><TD></TD><TD>time2</TD><TD>ip3</TD><TD>loc1</TD></TR> <TR><TD></TD><TD>time3</TD><TD>ip3</TD><TD>loc1</TD></TR> <TR><TD></TD><TD></TD><TD></TD><TD></TD></TR> <TR><TD>user2</TD><TD>time2</TD><TD>ip2</TD><TD>loc2</TD></TR> <TR><TD>user3</TD><TD>time3</TD><TD>ip4</TD><TD>loc4</TD></TR> <TR><TD>user1</TD><TD>time4</TD><TD>ip4</TD><TD>loc1</TD></TR> </TBODY></TABLE> <P>It looks like the stats command decouples the fields and reports the TIME IP and LOC based on a column perspective. <BR /> I checked around a bit and it looks like evenstats may get me closer, but haven't been able to get it to work either. </P> <P>Can this be done in Splunk? If so, can someone point me in the right direction?<BR /> Thanks!</P> Fri, 12 Apr 2013 17:48:44 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92433#M23850 rchille 2013-04-12T17:48:44Z https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92434#M23851 <P>Uh, I don't see how your query can result in that output. I don't even see a count field in that table?</P> Fri, 12 Apr 2013 18:02:24 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92434#M23851 Ayn 2013-04-12T18:02:24Z https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92435#M23852 <P>I don't understand either. Your desired output has user1 in two places. Wouldn't you want to have them listed on a per user basis?</P> <P>Could <CODE>...| stats values(TIME) values(IP) values(Location) by USER |...</CODE> </P> <P>be what you're after? Bear in mind that the resulting lists will be independently sorted.</P> <P>Try <CODE>list()</CODE> instead of <CODE>values()</CODE> if you want all values, not just the distinct. </P> <P>/K</P> Fri, 12 Apr 2013 18:46:48 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92435#M23852 kristian_kolb 2013-04-12T18:46:48Z https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92436#M23853 <P>I guess I'm missing something too--but wouldn't the useful output be more like:</P> <P>... | stats count by User,Time,IP,Location | ...</P> <P>???</P> <P>-tv</P> Fri, 12 Apr 2013 19:00:24 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92436#M23853 narwhal 2013-04-12T19:00:24Z https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92437#M23854 <P>Thanks for the quick replies!<BR /> Sorry, I did leave out the 'count' field ... and as for the 2 user1's, copy/paste isn't my friend.</P> <P>The problem with list or value is exactly that: I get a list of the IPs in one column, a list of Times in the next with but no relationship between the values along the row.</P> <P>I'm looking to create a list of connections (TIME + IP + LOC) for all of my users. If user1 makes 4 connections during the day, I can look at the display and read off the details of each of the connections.</P> <P>Thanks again!</P> Fri, 12 Apr 2013 19:24:29 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92437#M23854 rchille 2013-04-12T19:24:29Z https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92438#M23855 <P>Kristian was pointed me the correct direction, I was after:</P> <P>...| stats Count by User list(User) list(Time) values(IP) list(Location)</P> <P>Instead of:</P> <P>...| stats Count by User values(User) values(Time) values(IP) values(Location)</P> <P>I really thought that I'd tried that, Thanks!</P> Fri, 12 Apr 2013 19:48:57 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-results-by-count/m-p/92438#M23855 rchille 2013-04-12T19:48:57Z