https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183266#M52776 <P>Hello,</P> <P>I try to create stats to have all countries and cities that communicate with my servers.</P> <P>I made this search:</P> <PRE><CODE>sourcetype="syslog" deviceVendor="Apache" | iplocation ipVisitor | eval City= if(isnull(City) OR City="", "Unknown_City", City) | stats values(City) AS CityName, count by Country | sort - count </CODE></PRE> <P>It give me in the first column the Country, then in the second column all cities in this country and in the last third column the total count.</P> <P>I would like to have such thing instead:</P> <PRE><CODE>Country name | Cities Name (count) | Total Count United States | New York (5) | 10 | Boston (3) | | Washington (2) | France | Paris (10) | 12 | Marseille (2) | 2 </CODE></PRE> <P>I don't know how to do that to append the "(nbr)" to the City name</P> Wed, 11 Mar 2015 13:51:53 GMT danje57 2015-03-11T13:51:53Z https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183266#M52776 <P>Hello,</P> <P>I try to create stats to have all countries and cities that communicate with my servers.</P> <P>I made this search:</P> <PRE><CODE>sourcetype="syslog" deviceVendor="Apache" | iplocation ipVisitor | eval City= if(isnull(City) OR City="", "Unknown_City", City) | stats values(City) AS CityName, count by Country | sort - count </CODE></PRE> <P>It give me in the first column the Country, then in the second column all cities in this country and in the last third column the total count.</P> <P>I would like to have such thing instead:</P> <PRE><CODE>Country name | Cities Name (count) | Total Count United States | New York (5) | 10 | Boston (3) | | Washington (2) | France | Paris (10) | 12 | Marseille (2) | 2 </CODE></PRE> <P>I don't know how to do that to append the "(nbr)" to the City name</P> Wed, 11 Mar 2015 13:51:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183266#M52776 danje57 2015-03-11T13:51:53Z https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183267#M52777 <P>i propose you to make multi-values fields for City and count. look how to use multi-values in search reference manual page 258</P> Mon, 23 Mar 2015 12:13:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183267#M52777 tachifelix 2015-03-23T12:13:23Z https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183268#M52778 <P>You mean using multikv?</P> Mon, 23 Mar 2015 14:11:54 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183268#M52778 danje57 2015-03-23T14:11:54Z https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183269#M52779 <P>Here you go</P> <PRE><CODE>sourcetype="syslog" deviceVendor="Apache" | iplocation ipVisitor | eval City= if(isnull(City) OR City="", "Unknown_City", City) | stats count by Country,City | eval City=City."(".count.")" | stats values(City) as CityName, sum(count) as "Total Count" by Country </CODE></PRE> Mon, 23 Mar 2015 18:00:28 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183269#M52779 somesoni2 2015-03-23T18:00:28Z https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183270#M52780 <P>Exactly that I need!</P> <P>Many thanks!!!!</P> Tue, 24 Mar 2015 12:13:44 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-group-by-Country-City-having-count-sorted-for-Country/m-p/183270#M52780 danje57 2015-03-24T12:13:44Z