https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243578#M72514 <P>the events i have posted are without any search. Just the raw file. When I do search for tag=101 all the dn fields disappear. I did get an output using the new query but the result is different from what I expected and its not a timechart</P> Wed, 24 Aug 2016 18:52:12 GMT sid19920 2016-08-24T18:52:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243565#M72501 <P>How can I do search count by dn here? tag=101 means search. I have already used transaction conn to separate based on connection number<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1758i1110177F5FD36418/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 24 Aug 2016 02:40:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243565#M72501 sid19920 2016-08-24T02:40:16Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243566#M72502 <P>Try this instead of using <CODE>transaction</CODE> </P> <P>*<STRONG><EM>EDITED</EM></STRONG>*</P> <PRE><CODE> your base search | eventstats values(dn) as dn by conn | where tag=101 | timechart count by dn usenull=f useother=f </CODE></PRE> Wed, 24 Aug 2016 17:27:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243566#M72502 sundareshr 2016-08-24T17:27:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243567#M72503 <P>Thnx for the reply. Sorry but it says "No results". If i don't use transaction then the events are not grouped based on conn number. The DN value is only present after the binding is complete so I used transaction so that the dn and SRCH are grouped in same event.</P> Wed, 24 Aug 2016 17:36:51 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243567#M72503 sid19920 2016-08-24T17:36:51Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243568#M72504 <P>The graphs should look like this. The first one is for Search count by DN and the second one is for Search count duration by DN. I need help with both please<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1757i7C24126B1794C1AF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 24 Aug 2016 17:40:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243568#M72504 sid19920 2016-08-24T17:40:20Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243569#M72505 <P>Try the edited query</P> Wed, 24 Aug 2016 18:00:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243569#M72505 sundareshr 2016-08-24T18:00:32Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243570#M72506 <P>I did. It doesn't work. I think you'd be able to solve it if I can send you the log file</P> Wed, 24 Aug 2016 18:07:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243570#M72506 sid19920 2016-08-24T18:07:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243571#M72507 <P>This is a preview of how the data is indexed initially<IMG src="https://postimg.org/image/igb8y7ohv/" alt="alt text" /></P> Wed, 24 Aug 2016 18:11:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243571#M72507 sid19920 2016-08-24T18:11:45Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243572#M72508 <P>That'll be great. Share a few events</P> Wed, 24 Aug 2016 18:22:50 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243572#M72508 sundareshr 2016-08-24T18:22:50Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243573#M72509 <P><IMG src="https://postimg.org/image/igb8y7ohv/" alt="alt text" /></P> <P>Thnx.Ive added a link to the image url for you.</P> Wed, 24 Aug 2016 18:25:10 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243573#M72509 sid19920 2016-08-24T18:25:10Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243574#M72510 <P>I don't see the link. All I see is alt text. Just paste a few events to your original question</P> Wed, 24 Aug 2016 18:26:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243574#M72510 sundareshr 2016-08-24T18:26:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243575#M72511 <P><A href="https://postimg.org/image/igb8y7ohv/">https://postimg.org/image/igb8y7ohv/</A>. I couldn't as I don't have enough karma points. Can you see the link now?</P> Wed, 24 Aug 2016 18:29:40 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243575#M72511 sid19920 2016-08-24T18:29:40Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243576#M72512 <P>yes. i see it now</P> Wed, 24 Aug 2016 18:36:38 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243576#M72512 sundareshr 2016-08-24T18:36:38Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243577#M72513 <P>I assume the events you shared are from a search like this <CODE>your base search tag=101</CODE>, right? Because I don't see <CODE>dn=</CODE> anywhere. Try the updated query I posted. </P> Wed, 24 Aug 2016 18:41:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243577#M72513 sundareshr 2016-08-24T18:41:57Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243578#M72514 <P>the events i have posted are without any search. Just the raw file. When I do search for tag=101 all the dn fields disappear. I did get an output using the new query but the result is different from what I expected and its not a timechart</P> Wed, 24 Aug 2016 18:52:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-count-by-DN-based-on-my-sample-event/m-p/243578#M72514 sid19920 2016-08-24T18:52:12Z