https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220724#M64847 <P>Hello @emamedov,<BR /> I ran into a similar problem and found a solution hidden in the splunk archives here. For your use case, try this:</P> <PRE><CODE> eventtype=product-view | stats count by username, productname | stats list(username) as "User Name" list(count) as count by productname | rename productname as "Product Name" </CODE></PRE> <P>Good luck and happy hunting!</P> Tue, 12 Jan 2016 17:52:25 GMT dark_15 2016-01-12T17:52:25Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220721#M64844 <P>I am currently trying to group together unique products, and have the username listed under each product, however, I want to also add a count and that is where I hit a roadblock. I have looked at multiple posts regarding this topic and can't quite get over the finish line.</P> <P>Example:</P> <P>Instead of:<BR /> Product A:<BR /> User1<BR /> User2<BR /> User2<BR /> User2<BR /> User3</P> <P>Product B:<BR /> User 1<BR /> User 1<BR /> User 2</P> <P>I would like to have:</P> <P>Product A:<BR /> User 1 - 1<BR /> User 2 - 3<BR /> User 3 - 1</P> <P>Product B:<BR /> User 1 - 2<BR /> User 2 - 1</P> <P>Below is the search string I'm currently using to generate just the grouped product/users:</P> <PRE><CODE>eventtype=product-view|stats values(username) by productname </CODE></PRE> Thu, 07 Jan 2016 21:56:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220721#M64844 emamedov 2016-01-07T21:56:38Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220722#M64845 <P>Hi @emamedov,<BR /> Have you tried using "stats count by" with the fields you are trying to aggregate?</P> <P>For example:<BR /> eventtype=product-view|stats count by productname username</P> <P>As a more general example, if I run a search that includes this :<BR /> ...| stats count by (fieldA) (fieldB)<BR /> then the results would show a count of how many (fieldB) items there are, per (fieldA) item. It seems like a search like this would give you view counts per user for each product.</P> <P>Here are some examples in the documentation that might help:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Stats#Use_Case_Examples">http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Stats#Use_Case_Examples</A></P> Fri, 08 Jan 2016 00:05:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220722#M64845 frobinson_splun 2016-01-08T00:05:02Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220723#M64846 <P>Try this</P> <PRE><CODE>eventtype=product-view | chart count over username by productname </CODE></PRE> <P>And then if you want totals, you can do </P> <PRE><CODE>eventtype=product-view | chart count over username by productname | addtotals | addcoltotals labelfield=fieldA label=Totals </CODE></PRE> Fri, 08 Jan 2016 00:33:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220723#M64846 sundareshr 2016-01-08T00:33:13Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220724#M64847 <P>Hello @emamedov,<BR /> I ran into a similar problem and found a solution hidden in the splunk archives here. For your use case, try this:</P> <PRE><CODE> eventtype=product-view | stats count by username, productname | stats list(username) as "User Name" list(count) as count by productname | rename productname as "Product Name" </CODE></PRE> <P>Good luck and happy hunting!</P> Tue, 12 Jan 2016 17:52:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-add-the-count-for-each-value-of-a-field/m-p/220724#M64847 dark_15 2016-01-12T17:52:25Z