https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18751#M2762 <P>Not very nice, but you can group the COMMAND and USER on a single columns and try the commands values().</P> <P><CODE>mysearch | eval command_user= COMMAND." ".USER <BR /> | stats values(command_user) AS list_command_user by host</CODE> </P> <P>But the duplicates will be removed, so if you really need the count, add some magic.</P> <P><CODE>mysearch | eval command_user= COMMAND." ".USER <BR /> | stats count by command_user host <BR /> | eval command_user_count=command_user." [".count."]"<BR /> | stats values(command_user_count) AS list_command_user_count by host</CODE> </P> Mon, 04 Feb 2013 16:09:36 GMT yannK 2013-02-04T16:09:36Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18749#M2760 <P>Hi Splunkers,</P> <P>this might sound stupid. I am trying to query and table host, COMMAND and USER which works fine. But is it possible to group the host? I want to display each COMMAND and USER value under one host name.<PRE><CODE><BR /> Host COMMAND USER<BR /> <A href="http://www.off.dus.acompany.com" target="_blank">www.off.dus.acompany.com</A> ini_t root<BR /> kthreadt root<BR /> ksoftirqd root<BR /> migration root<BR /> watdog/0 root<BR /> mirtion/1 root<BR /> ksoftqd/1 root<BR /> <A href="http://www.off.ber.bcompany.com" target="_blank">www.off.ber.bcompany.com</A> ini_t root<BR /> kthreadt root<BR /> ksoftirqd root<BR /> migration root<BR /> watdog/0 root<BR /> mirtion/1 root<BR /> ksoftqd/1 root</CODE></PRE></P> <P>This is all I got </P> <PRE><CODE>sourcetype=pu OR sourcetype=tik COMMAND | multikv | table host COMMAND USER</CODE></PRE> <P>In terms of visuals it is almost the same case as the following link </P> <P><A href="http://splunk-base.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table" target="_blank">http://splunk-base.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table </A></P> <P>Thanks in advance for your help.</P> <P>Best regards<BR /> Mike</P> Mon, 28 Sep 2020 13:13:42 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18749#M2760 lemikg 2020-09-28T13:13:42Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18750#M2761 <P>Perhaps mvcombine could be used? <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvcombine">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvcombine</A></P> Mon, 04 Feb 2013 16:08:18 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18750#M2761 MHibbin 2013-02-04T16:08:18Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18751#M2762 <P>Not very nice, but you can group the COMMAND and USER on a single columns and try the commands values().</P> <P><CODE>mysearch | eval command_user= COMMAND." ".USER <BR /> | stats values(command_user) AS list_command_user by host</CODE> </P> <P>But the duplicates will be removed, so if you really need the count, add some magic.</P> <P><CODE>mysearch | eval command_user= COMMAND." ".USER <BR /> | stats count by command_user host <BR /> | eval command_user_count=command_user." [".count."]"<BR /> | stats values(command_user_count) AS list_command_user_count by host</CODE> </P> Mon, 04 Feb 2013 16:09:36 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18751#M2762 yannK 2013-02-04T16:09:36Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18752#M2763 <P>thanks, i copy&amp;pasted eval command_user= COMMAND." ".USER <BR /> | stats values(command_user) AS list_command_user by host. But it shows only the hosts. Is there anything I need to do else?</P> Mon, 28 Sep 2020 13:13:50 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18752#M2763 lemikg 2020-09-28T13:13:50Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18753#M2764 <P>| stats list() will keep duplicate user-command tuples.</P> <PRE><CODE>sourcetype=pu OR sourcetype=tik COMMAND | multikv | strcat "[" USER "] " COMMAND user_command | stats list(user_command) by host </CODE></PRE> Mon, 04 Feb 2013 21:34:18 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18753#M2764 Paolo_Prigione 2013-02-04T21:34:18Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18754#M2765 <P>Perfect! Thank you very much!!!</P> Tue, 05 Feb 2013 08:16:07 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18754#M2765 lemikg 2013-02-05T08:16:07Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18755#M2766 <P>btw how do I now count the values in the field list(user_command)?</P> Tue, 05 Feb 2013 08:43:33 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18755#M2766 lemikg 2013-02-05T08:43:33Z https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18756#M2767 <P>replace "| stats list(user_command) by host" with "| stats list(user_command) count dc(user_command) as distinct_count by host"</P> Mon, 28 Sep 2020 13:14:05 GMT https://community.splunk.com/t5/Splunk-Search/Sort-and-Grouping-Question/m-p/18756#M2767 Paolo_Prigione 2020-09-28T13:14:05Z