https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139150#M38219 <P>Try this:</P> <PRE><CODE>... | stats count values(user) dc(user) by country </CODE></PRE> Wed, 05 Feb 2014 20:12:29 GMT martin_mueller 2014-02-05T20:12:29Z https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139149#M38218 <P>Hello.<BR /> I have a requirement of presenting a table with Countries, users and the number of users in that country..<BR /> SO I have a query :<BR /> …{query}..| stats count values(user) by country </P> <P>This will give me :</P> <P>something like :</P> <P>country User</P> <P>USA-------u1</P> <P>-------------u2</P> <P>-------------u3</P> <P>-------------u4</P> <P>UK -------u5</P> <P>-------------u6</P> <P>What do I do to the query , so that it gives me the count of the number of users in the third column: something like :</P> <P>country User UserCount </P> <P>USA-------u1------ 4</P> <P>-------------u2</P> <P>-------------u3</P> <P>-------------u4</P> <P>UK -------u5----------2</P> <P>-------------u6</P> Wed, 05 Feb 2014 20:10:40 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139149#M38218 kanda18 2014-02-05T20:10:40Z https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139150#M38219 <P>Try this:</P> <PRE><CODE>... | stats count values(user) dc(user) by country </CODE></PRE> Wed, 05 Feb 2014 20:12:29 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139150#M38219 martin_mueller 2014-02-05T20:12:29Z https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139151#M38220 <P>Thank you sir..</P> Wed, 05 Feb 2014 20:29:04 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139151#M38220 kanda18 2014-02-05T20:29:04Z https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139152#M38221 <P>Hey,<BR /> This works great on the splunk interface, but when I generate a report to be sent to an email, with the inline results, the users show on single line. In the splunk search, the table is neat, with the users on a new line. Is there a way to make sure that the splunk result shows in email as is ? with the new lines etc?I tried to do eval userNames=mvjoin(UsersMV,"#") .I think i need to do something to replace the # from the userNames and add a new line \n in regex? not sure. I am surprised that the results in the Splunk interface is different from the results in the email</P> Wed, 05 Feb 2014 23:17:03 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139152#M38221 kanda18 2014-02-05T23:17:03Z https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139153#M38222 <P>Rendering in the UI and in an inline table of an email is inherently different. Off the top of my head you could try two things: You could <CODE>mvexpand</CODE> the values(user) field, giving you one copied event per user along with the counts... or you could indeed try to mvjoin() the users with a \n newline character... if that doesn't work, try joining them with an HTML &lt;br&gt; tag, provided Splunk isn't smart and replaces that with ampersand-entities.</P> <P>If all that fails, you could create your own version of the sendemail.py script and build the inline tables as you need them.</P> Wed, 05 Feb 2014 23:27:14 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-and-Counting-the-Group-Values/m-p/139153#M38222 martin_mueller 2014-02-05T23:27:14Z