https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307089#M92097 <P>In fact, it worked. I had to use AS command in stats<BR /> <A href="https://answers.splunk.com/answers/154916/how-to-search-and-filter-based-on-fields-created-by-stats.html">https://answers.splunk.com/answers/154916/how-to-search-and-filter-based-on-fields-created-by-stats.html</A></P> <P>| stats values(EndPointMatchedProfile) AS profile by EndPointMACAddress | eval pcount=mvcount(profile) | where pcount &lt;2 AND (profile=="Unknown" OR profile="")</P> <P>Thank you worshamn, much appreciated.</P> Mon, 28 Aug 2017 04:13:02 GMT ashabc 2017-08-28T04:13:02Z https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307085#M92093 <P>I have a search like below</P> <P>| stats values(EndPointMatchedProfile) by EndPointMACAddress</P> <P>Where each EndPointMACAddress may have one or more EndPointMatchedProfile values.</P> <P>How do I find out EndPointMACAddress that has only one EndPointMatchedProfile value and that value is "Unknown". I do not want to return EndPointMACAddress that has two or more EndPointMatchedProfile values and one of them is "Unknown"</P> Mon, 28 Aug 2017 01:27:49 GMT https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307085#M92093 ashabc 2017-08-28T01:27:49Z https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307086#M92094 <P>Just add a count to it, then use a where clause to find the condition you are looking for. </P> <P>| stats values(EndPointMatchedProfile) AS EndPointMatchedProfile count by EndPointMACAddress<BR /> |where count =="1" AND EndPointMatchedProfile=="Unknown"</P> Mon, 28 Aug 2017 01:43:09 GMT https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307086#M92094 worshamn 2017-08-28T01:43:09Z https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307087#M92095 <P>Actually I'm not sure that the stats count will be the right count, you may instead before the where statement do an eval:</P> <P>|eval count = mvcount(EndPointMatchedProfile)</P> Mon, 28 Aug 2017 01:46:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307087#M92095 worshamn 2017-08-28T01:46:53Z https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307088#M92096 <P>Thank you Worshamn for responding so quickly. I tried the command you suggested, I don't think where command is working correctly. If I put where==2 it does not return any result. However, I know for sure, that there are multiple values of EndPointMatchedProfile for many EndPointMACAddress with two values and one of EndPointMatchedProfile is unknown.</P> Mon, 28 Aug 2017 03:49:11 GMT https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307088#M92096 ashabc 2017-08-28T03:49:11Z https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307089#M92097 <P>In fact, it worked. I had to use AS command in stats<BR /> <A href="https://answers.splunk.com/answers/154916/how-to-search-and-filter-based-on-fields-created-by-stats.html">https://answers.splunk.com/answers/154916/how-to-search-and-filter-based-on-fields-created-by-stats.html</A></P> <P>| stats values(EndPointMatchedProfile) AS profile by EndPointMACAddress | eval pcount=mvcount(profile) | where pcount &lt;2 AND (profile=="Unknown" OR profile="")</P> <P>Thank you worshamn, much appreciated.</P> Mon, 28 Aug 2017 04:13:02 GMT https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307089#M92097 ashabc 2017-08-28T04:13:02Z https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307090#M92098 <P>@ashabc - We've converted the comment to an answer so you can accept it.</P> Mon, 28 Aug 2017 05:02:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-output-of-a-stats-command/m-p/307090#M92098 DalJeanis 2017-08-28T05:02:48Z