https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172465#M49417 <P>Data_no: 1T<BR /> Identity: A<BR /> Data_no: 2T<BR /> Identity: C</P> <P>This is how your data is? If answer is no then can you post some sample log lines.</P> Mon, 28 Sep 2020 17:16:27 GMT strive 2020-09-28T17:16:27Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172464#M49416 <P>Hi, i will like to extract the count for the following</P> <PRE><CODE>Data_no: 1T Identity: A Data_no: 2T Identity: C </CODE></PRE> <P>i tried the following </P> <PRE><CODE>| rex max_match= 0 "(?m) Data_no: (?&lt;DataNo&gt;[a-zA-Z0-9#]+)" | rex max_match= 0 "(?m) Identity: (?&lt;Identity&gt;[a-zA-Z0-9#]+)" | stats count(eval(Identity= "A")) as A, count(eval(Identity= "C")) as C by DataNo </CODE></PRE> <P>The table returns the following:</P> <PRE><CODE>DataNO| A | C 1T | 1 | 1 2T | 1 | 1 </CODE></PRE> <P>How to i filter it so that it will become like this:</P> <PRE><CODE>DataNO| A | C 1T | 1 | 0 2T | 0 | 1 </CODE></PRE> <P>Thanks for your help!</P> Wed, 06 Aug 2014 03:33:46 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172464#M49416 wkau 2014-08-06T03:33:46Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172465#M49417 <P>Data_no: 1T<BR /> Identity: A<BR /> Data_no: 2T<BR /> Identity: C</P> <P>This is how your data is? If answer is no then can you post some sample log lines.</P> Mon, 28 Sep 2020 17:16:27 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172465#M49417 strive 2020-09-28T17:16:27Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172466#M49418 <P>yup this is an example of how my data is!</P> Wed, 06 Aug 2014 05:54:24 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172466#M49418 wkau 2014-08-06T05:54:24Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172467#M49419 <P>try this<BR /> |chart count by datano identity</P> Wed, 06 Aug 2014 07:35:04 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172467#M49419 strive 2014-08-06T07:35:04Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172468#M49420 <P>after trying that i got A=1, C=1 for 1T and A=1, C=1 for 2T. i will need something like A=1,C=0 for 1T and A=0, C=1 for 2T</P> Wed, 06 Aug 2014 08:03:45 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172468#M49420 wkau 2014-08-06T08:03:45Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172469#M49421 <P>Try this</P> <BLOCKQUOTE> <P>Updated</P> </BLOCKQUOTE> <PRE><CODE>your base search| rex max_match= 0 "(?m) Data_no: (?&lt;DataNo&gt;[a-zA-Z0-9#]+)" | rex max_match= 0 "(?m) Identity: (?&lt;Identity&gt;[a-zA-Z0-9#]+)" | eval temp=mvzip (DataNo, Identity) | mvexpand temp | rex field=temp "(?&lt;DataNo&gt;.*) (?&lt;Identity&gt;.*)" | chart count over DataNo by Identity </CODE></PRE> Wed, 06 Aug 2014 13:05:11 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172469#M49421 somesoni2 2014-08-06T13:05:11Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172470#M49422 <P>I still got back the same results the data that is provided happens in the same event at the same time, is it possible to filter the DataNO and Identity individually so that it does not double count?</P> Thu, 07 Aug 2014 01:06:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172470#M49422 wkau 2014-08-07T01:06:25Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172471#M49423 <P>Try updated answer.</P> Thu, 07 Aug 2014 03:43:16 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-total-count-for-different-fields/m-p/172471#M49423 somesoni2 2014-08-07T03:43:16Z