https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211471#M61881 <P>Thank you it helped a lot . </P> Tue, 03 Jan 2017 08:46:19 GMT AdixitSplunk 2017-01-03T08:46:19Z https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211469#M61879 <P>HI ,<BR /> I have this query where i want my data in a specific format .<BR /> Here under each POD there are some 3-4 hosts ,whose total event count is 5 ...(highlighted)<BR /> Base query|stats count by host|addcoltotals </P> <P>Similarly for POD 2 i have some different set of hosts whose counts is 10 </P> <P><STRONG>Expected output:</STRONG></P> <P>Message POD1 POD2 Total <BR /> XYZ ........ <STRONG>5</STRONG>.............10.......... 15</P> <P>I used below query:<BR /> index="River" sourcetype=river_logs host="XYZ" OR "host="ABC" OR host="LM" OR "host="NOP" Message="*" |eval host=upper(host)|eval env=case( host=="XYZ" OR "host="ABC","POD1",host=="LM" OR "host=="NOP","POD2",1==1,"NOT MATCHED")|stats count by host env | chart values(count) over host by env</P> <P>Which is giving result as :<BR /> host POD1....POD2<BR /> XYZ 2<BR /> LM ...............5<BR /> ABC 3<BR /><BR /> NOP ............5</P> <P>WHICH IS NO THE expected format of result .(". "are nothing but the spaces to show how exactly result is popping)<BR /> Please help me with this one </P> Mon, 02 Jan 2017 12:39:38 GMT https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211469#M61879 AdixitSplunk 2017-01-02T12:39:38Z https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211470#M61880 <P>Is your expected output is host being first column or Message being first column?</P> <P>I am not sure why have you used two statistics i.e. stats and chart when you are trying to just perform count.</P> <P>Following should give you the results you are expecting.</P> <PRE><CODE>&lt;your base search&gt; | chart count by host env | addtotals row=t col=f </CODE></PRE> <P>PS: <BR /> 1) If you want to reverse Column/Row split just reverse the by sequence i.e. <STRONG>chart count by env host</STRONG><BR /> 2) If you want to show column totals also then use change from col=f to <STRONG>col=t labelfield=host</STRONG></P> Mon, 02 Jan 2017 14:48:35 GMT https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211470#M61880 niketn 2017-01-02T14:48:35Z https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211471#M61881 <P>Thank you it helped a lot . </P> Tue, 03 Jan 2017 08:46:19 GMT https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211471#M61881 AdixitSplunk 2017-01-03T08:46:19Z https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211472#M61882 <P>I have just used .....chart count by env |addcolstotals |fillnull value="Total" env<BR /> Its actually giving result as:</P> <P>env Count<BR /> POD1 5<BR /> POD2 2<BR /> POD3 3<BR /> Total 10<BR /> I want it to be like <BR /> POD1 POD2 POD3 Total <BR /> 5 2 3 <STRONG>10</STRONG><BR /> I used transpose command but its giving result like:<BR /> column <STRONG>row1 row2 row 3</STRONG><BR /> env POD1 POD2 POD3<BR /> Count 5 2 3</P> <P>Is it possible to make "POD1" POD2 as table header instead of row 1, row 2 etc.<BR /> Please help me with this .</P> Tue, 03 Jan 2017 09:01:57 GMT https://community.splunk.com/t5/Splunk-Search/eval-case-condition/m-p/211472#M61882 AdixitSplunk 2017-01-03T09:01:57Z