https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159043#M44839 <P>The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.</P> <P>You could then write a search like:<BR /> <PRE><BR /> index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action<BR /> </PRE></P> <P>Hope that helps!</P> Wed, 27 Nov 2013 19:18:16 GMT delink 2013-11-27T19:18:16Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159041#M44837 <P>Hello All,</P> <P>i have the following query with results:</P> <P>Query:<BR /> index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by result_action</P> <P>result_action count</P> <P>Failure 356<BR /> Success 591<BR /> Failure with condition1 5<BR /> Success with condition1 58088<BR /> Check Resource 47245<BR /> Data Store Error 4<BR /> Read User Properties 7381<BR /> User Token Created 38737<BR /> User Token Failed 77818</P> <P>I would like to collapse all result_actions and group them as follows.</P> <P>Success= value<BR /> Failure=value<BR /> Total=Value</P> <P>Could anyone help here</P> <P>Thanks<BR /> Ashish</P> Wed, 27 Nov 2013 19:11:19 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159041#M44837 ashishv 2013-11-27T19:11:19Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159042#M44838 <P>Which fields are you counting as failures, and which are successes?</P> Wed, 27 Nov 2013 19:14:08 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159042#M44838 lukejadamec 2013-11-27T19:14:08Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159043#M44839 <P>The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.</P> <P>You could then write a search like:<BR /> <PRE><BR /> index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action<BR /> </PRE></P> <P>Hope that helps!</P> Wed, 27 Nov 2013 19:18:16 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159043#M44839 delink 2013-11-27T19:18:16Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159044#M44840 <P>if there is a <EM>Fail</EM> in result_action it is a FAILED &amp; if <EM>Succ</EM> in result_action it is a SUCCESS.</P> <P>thnx</P> Mon, 28 Sep 2020 15:22:53 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159044#M44840 ashishv 2020-09-28T15:22:53Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159045#M44841 <P>this didnt work i got a "No result found"</P> Wed, 27 Nov 2013 19:24:51 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159045#M44841 ashishv 2013-11-27T19:24:51Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159046#M44842 <P>Did you go through and add all of the tags on various values of result_action? I was able to run a command like this on my own Splunk instance and count results by tags rather than the original values.</P> Wed, 27 Nov 2013 19:34:43 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159046#M44842 delink 2013-11-27T19:34:43Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159047#M44843 <P>Sorry, newbie here… not sure how to add Tags.</P> Wed, 27 Nov 2013 19:36:10 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159047#M44843 ashishv 2013-11-27T19:36:10Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159048#M44844 <P>No problem at all. In the search interface, you will want to go into the field picker and make result_action a selected field. It will then show up under each event in the search results. From there, you can click on the result_action=value in an event and you will see a Tag option there. Just add "success" or "failure" for each of the possible result_action values, then the search provided above will work.</P> Mon, 28 Sep 2020 15:22:58 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159048#M44844 delink 2020-09-28T15:22:58Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159049#M44845 <P>Yep that worked, thnx…</P> <P>Ashish</P> Wed, 27 Nov 2013 19:58:50 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159049#M44845 ashishv 2013-11-27T19:58:50Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159050#M44846 <P>Excellent. If you wouldn't mind voting up the answer and selecting it as the correct answer, I would appreciate it.</P> Wed, 27 Nov 2013 20:00:21 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-multiple-values-with-conditions/m-p/159050#M44846 delink 2013-11-27T20:00:21Z