topic How do I write a search to display a table with the count of each value for a field? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159361#M44958 <P>Hello, </P> <P>My data looks like: </P> <P>I currently have this search:</P> <PRE><CODE>source=myapp test123 | stats count by type </CODE></PRE> <P>The results are: </P> <P>type ........ count<BR /> 1234 ........... 2<BR /> 123 ........ .. 1<BR /> 456 .......... 6</P> <P>I just want to show the count result and another criteria from the logs in a table. Is it possible?</P> <P>thanks </P> Tue, 11 Aug 2015 11:05:04 GMT abovebeyond 2015-08-11T11:05:04Z How do I write a search to display a table with the count of each value for a field? https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159361#M44958 <P>Hello, </P> <P>My data looks like: </P> <P>I currently have this search:</P> <PRE><CODE>source=myapp test123 | stats count by type </CODE></PRE> <P>The results are: </P> <P>type ........ count<BR /> 1234 ........... 2<BR /> 123 ........ .. 1<BR /> 456 .......... 6</P> <P>I just want to show the count result and another criteria from the logs in a table. Is it possible?</P> <P>thanks </P> Tue, 11 Aug 2015 11:05:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159361#M44958 abovebeyond 2015-08-11T11:05:04Z Re: How do I write a search to display a table with the count of each value for a field? https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159362#M44959 <P>What does your data look like? What is the "other criteria"?</P> Tue, 11 Aug 2015 12:05:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159362#M44959 richgalloway 2015-08-11T12:05:51Z Re: How do I write a search to display a table with the count of each value for a field? https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159363#M44960 <P>my data looks like :</P> <P>015-08-11 10:28:57.4149|process-name|ERROR|BusinessService.myapp.Create.LoggHandleError|Created myapp Failed <STRONG>Mname: myprime</STRONG> |ConsumerName: unknown | <STRONG>type : 4444</STRONG>|ERROR: ErrorCode: Invalidtype <BR /> Failed <STRONG>Mname: myprime</STRONG> |ConsumerName: unknown | <STRONG>type : 4444</STRONG>|ERROR: ErrorCode: Invalidtype <BR /> 015-08-11 10:28:58.4259|process-name|ERROR|BusinessService.myapp.Create.LoggHandleError|Created myapp Failed <STRONG>Mname: myprime</STRONG>|ConsumerName: unknown | <STRONG>type : 5555</STRONG>|ERROR: ErrorCode: Invalidtype <BR /> 015-08-11 10:28:58.4259|process-name|ERROR|BusinessService.myapp.Create.LoggHandleError|Created myapp Failed <STRONG>Mname: myprime2</STRONG>|ConsumerName: unknown | <STRONG>type : 6666</STRONG>|ERROR: ErrorCode: Invalidtype</P> <P>i want to show in table :</P> <P>Mname .............. count (of type)</P> <P>myprime .............. 3<BR /> myprime 2 ............ 1</P> <P>hope you understand</P> Tue, 11 Aug 2015 12:23:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159363#M44960 abovebeyond 2015-08-11T12:23:15Z Re: How do I write a search to display a table with the count of each value for a field? https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159364#M44961 <P>Yes, it's defiantly possible.. Instead of doing a stats, you can just do a table command if you want to add more columns </P> <PRE><CODE>source=myapp test123 | table type brand color </CODE></PRE> <P>Or if you wanted it to calculate the type and add a table, you could do.. The eval command will create a new field and do the math (size/occurance). The result of the division will be the new field "type"</P> <PRE><CODE>source=myapp test123 | eval type=(size/occurance) | table type brand color </CODE></PRE> Tue, 11 Aug 2015 12:40:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159364#M44961 skoelpin 2015-08-11T12:40:57Z Re: How do I write a search to display a table with the count of each value for a field? https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159365#M44962 <P>You should look at all the <CODE>functions</CODE> that are available for the <CODE>stats</CODE> command and use what you need, You will probably need <CODE>values</CODE>, <CODE>avg</CODE>, <CODE>last</CODE>, <CODE>min</CODE>, and <CODE>max</CODE>. You just string them along like this:</P> <PRE><CODE>source=myapp test123 | stats count avg(delay) last(status) values(color) by type </CODE></PRE> <P>If you are gong to graph them, you should switch from <CODE>stats</CODE> to <CODE>chart</CODE>, which is a very similar command and it automatically advances populates the <CODE>Visualization</CODE> tab.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonStatsFunctions</A></P> Tue, 11 Aug 2015 13:27:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-a-search-to-display-a-table-with-the-count-of/m-p/159365#M44962 woodcock 2015-08-11T13:27:41Z