https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184006#M52992 <P>The "c" is just shorthand for "count". Similarly, dc() is shorthand for distinct_count(). So, "<CODE>| stats c by mdm_user,error_code</CODE>" and "<CODE>| stats count by mdm_user,error_code</CODE>" would produce the same results except that the count columns would be named "c" and "count" respectively. If you pipe the results of this first stats command into something else, you just need to make sure you use either "c" or "count" depending on what you used in the stats table.</P> Mon, 28 Sep 2020 16:07:04 GMT gauldridge 2020-09-28T16:07:04Z https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184003#M52989 <P>Hi,</P> <P>I have data that gives these fields: user and error code.</P> <P>I am trying to count the amount of certain errors PER user, so it would look like...</P> <P>USER----------ERROR-----COUNT</P> <P>user1</P> <P>--------------error1-----5</P> <P>--------------error2-----3</P> <P>user2</P> <P>--------------error1-----7</P> <P>--------------error3-----9</P> Wed, 12 Mar 2014 15:00:29 GMT https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184003#M52989 bcusick 2014-03-12T15:00:29Z https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184004#M52990 <P>You can do something like this to solve the problem of the double count by/group by</P> <PRE><CODE>your_search | stats c by user, error | stats list(error) AS ERROR list(c) AS COUNT by USER </CODE></PRE> <P>The result would look like;</P> <PRE><CODE>USER ERROR COUNT ------------------------- user1 error1 7 error3 3 error6 1 ------------------------- user2 error4 2 error3 9 </CODE></PRE> <P>/K</P> Wed, 12 Mar 2014 19:30:58 GMT https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184004#M52990 kristian_kolb 2014-03-12T19:30:58Z https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184005#M52991 <P>what is the "c" in "stats c by user, error"...do I replace this with "count"?</P> <P>My fields are offically mdm_user, error_code, and I want the count of each error_code value per user. I have a search that pulls the list of errors per user in one row so far by using | transaction mdm_user |</P> Mon, 28 Sep 2020 16:07:02 GMT https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184005#M52991 bcusick 2020-09-28T16:07:02Z https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184006#M52992 <P>The "c" is just shorthand for "count". Similarly, dc() is shorthand for distinct_count(). So, "<CODE>| stats c by mdm_user,error_code</CODE>" and "<CODE>| stats count by mdm_user,error_code</CODE>" would produce the same results except that the count columns would be named "c" and "count" respectively. If you pipe the results of this first stats command into something else, you just need to make sure you use either "c" or "count" depending on what you used in the stats table.</P> Mon, 28 Sep 2020 16:07:04 GMT https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184006#M52992 gauldridge 2020-09-28T16:07:04Z https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184007#M52993 <P>This worked so far...however I know I am going to have to add information from a lookup table. How can I produce multiple fields from a lookup table (on user) instead of just the stats this is giving?</P> Mon, 17 Mar 2014 13:39:39 GMT https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184007#M52993 bcusick 2014-03-17T13:39:39Z https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184008#M52994 <P>If the lookup is on User, just add a lookup command after the stats.</P> <P>....| stats...by USER | lookup yourlookupfile.csv lookupField as USER OUTPUT <SPECIFY your="" output="" fields="">.</SPECIFY></P> <P>This will just add the fields to existing output.</P> Mon, 17 Mar 2014 13:54:22 GMT https://community.splunk.com/t5/Splunk-Search/show-multiple-rows-per-one-user/m-p/184008#M52994 somesoni2 2014-03-17T13:54:22Z