https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258824#M77561 <P>Hey guys,</P> <P>So what i am trying to do is put a list inside of a list to get an output such as the one below</P> <PRE><CODE>Comapny | Count1 | Group | Count2 | Environment | Count3 _____________________________________________________________________ CompanyID 10 GroupID1 2 Environment1 1 Environment2 1 GroupID2 8 Environment1 4 Environment2 4 ______________________________________________________________________ CompanyID2 12 GroupID1 4 Environment1 3 Environment2 1 GroupID2 8 Environment1 2 Environment2 6 </CODE></PRE> <P>Or this:</P> <PRE><CODE>Comapny | Count1 | Group | Count2 | Environment1 | Environment2 _______________________________________________________________________________________ CompanyID 10 GroupID1 2 1 1 GroupID2 8 4 4 _______________________________________________________________________________________ CompanyID2 12 GroupID1 4 3 1 GroupID2 8 2 6 </CODE></PRE> <P>I have a search that gets me the Company, Group, and Environment but I can't get the counts and Groups to show up properly</P> <P>Current search: </P> <PRE><CODE>index="Customers" |stats count by Customer,Group, Environment |stats sum(count) as Total list(Group) as Source list(count) as Count list(Environment) as Environment list(count) as Count2 by Customer </CODE></PRE> <P>That search gets me the following output</P> <PRE><CODE>Comapny | Count1 | Group | Count2 | Environment | Count3 _____________________________________________________________________ CompanyID 10 GroupID1 Environment1 1 GroupID1 Environment2 1 GroupID2 Environment1 4 GroupID2 Environment2 4 ______________________________________________________________________ CompanyID2 12 GroupID1 Environment1 3 GroupID1 Environment2 1 GroupID2 Environment1 2 GroupID2 Environment2 6 </CODE></PRE> <P>How would i get one of the two outputs from above?</P> <P>Thanks in advanced! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 19 May 2016 15:58:09 GMT singhh4 2016-05-19T15:58:09Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258824#M77561 <P>Hey guys,</P> <P>So what i am trying to do is put a list inside of a list to get an output such as the one below</P> <PRE><CODE>Comapny | Count1 | Group | Count2 | Environment | Count3 _____________________________________________________________________ CompanyID 10 GroupID1 2 Environment1 1 Environment2 1 GroupID2 8 Environment1 4 Environment2 4 ______________________________________________________________________ CompanyID2 12 GroupID1 4 Environment1 3 Environment2 1 GroupID2 8 Environment1 2 Environment2 6 </CODE></PRE> <P>Or this:</P> <PRE><CODE>Comapny | Count1 | Group | Count2 | Environment1 | Environment2 _______________________________________________________________________________________ CompanyID 10 GroupID1 2 1 1 GroupID2 8 4 4 _______________________________________________________________________________________ CompanyID2 12 GroupID1 4 3 1 GroupID2 8 2 6 </CODE></PRE> <P>I have a search that gets me the Company, Group, and Environment but I can't get the counts and Groups to show up properly</P> <P>Current search: </P> <PRE><CODE>index="Customers" |stats count by Customer,Group, Environment |stats sum(count) as Total list(Group) as Source list(count) as Count list(Environment) as Environment list(count) as Count2 by Customer </CODE></PRE> <P>That search gets me the following output</P> <PRE><CODE>Comapny | Count1 | Group | Count2 | Environment | Count3 _____________________________________________________________________ CompanyID 10 GroupID1 Environment1 1 GroupID1 Environment2 1 GroupID2 Environment1 4 GroupID2 Environment2 4 ______________________________________________________________________ CompanyID2 12 GroupID1 Environment1 3 GroupID1 Environment2 1 GroupID2 Environment1 2 GroupID2 Environment2 6 </CODE></PRE> <P>How would i get one of the two outputs from above?</P> <P>Thanks in advanced! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 19 May 2016 15:58:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258824#M77561 singhh4 2016-05-19T15:58:09Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258825#M77562 <P>Give this a try (for expected format#2)</P> <PRE><CODE>index="Customers" |stats count by Customer,Group, Environment | eval temp=Customer."#".Group | xyseries temp Environment count | addtotals fieldname=Count2 | rex field=temp "(?&lt;Customer&gt;[^#]+)#(?&lt;Group&gt;.+)" | fields - temp | stats sum(Count2) as Count1 list(*) as * by Customer </CODE></PRE> Thu, 19 May 2016 16:43:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258825#M77562 somesoni2 2016-05-19T16:43:35Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258826#M77563 <P>You are awesome! Thank you soo much!</P> Fri, 20 May 2016 16:53:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-a-list-within-a-list/m-p/258826#M77563 singhh4 2016-05-20T16:53:19Z