https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331420#M98605 <P>However, you might want to consider this format instead - </P> <PRE><CODE>|chart sum(Count) over Book by Location </CODE></PRE> <P>...which gives this result</P> <PRE><CODE>Book Boston Dallas NYC book1 32 13 3 book2 51 15 5 book3 32 13 3 </CODE></PRE> Tue, 28 Feb 2017 20:00:39 GMT DalJeanis 2017-02-28T20:00:39Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415#M98600 <P>Hi</P> <P>This is my data :</P> <P><IMG src="http://zupimages.net/up/17/09/xr0a.png" alt="alt text" /></P> <P>I want to group result by two fields like that :</P> <P><IMG src="http://zupimages.net/up/17/09/9mpv.png" alt="alt text" /></P> <P>I follow the instructions on this topic <A href="https://answers.splunk.com/answers/186874/how-to-use-group-by-with-two-fields-1.html">link text</A> , but I did not get the fields grouped as I want. They are grouped but I don't have the count for each row.</P> <P>Can anyone help me?</P> <P>Thanks</P> Tue, 28 Feb 2017 18:33:21 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415#M98600 Naaba 2017-02-28T18:33:21Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331416#M98601 <P>this is the link <A href="https://answers.splunk.com/answers/186874/how-to-use-group-by-with-two-fields-1.html">https://answers.splunk.com/answers/186874/how-to-use-group-by-with-two-fields-1.html</A></P> Tue, 28 Feb 2017 18:35:33 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331416#M98601 Naaba 2017-02-28T18:35:33Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331417#M98602 <P>Hi, </P> <P>try the following.</P> <PRE><CODE>your-base-search | stats count by location, book </CODE></PRE> Tue, 28 Feb 2017 18:44:07 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331417#M98602 horsefez 2017-02-28T18:44:07Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331418#M98603 <P>Give this a try</P> <PRE><CODE>your base search giving fields Location, Book and Count | stats sum(Count) as Count by Location Book | stats list(Book) as Book list(Count) as Count by Location </CODE></PRE> Tue, 28 Feb 2017 19:29:50 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331418#M98603 somesoni2 2017-02-28T19:29:50Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331419#M98604 <P>Your data actually IS grouped the way you want. You just want to report it in such a way that the Location doesn't appear. So, here's one way you can mask the RealLocation with a display "location" by checking to see if the RealLocation is the same as the prior record, using the autoregress function.</P> <P>This part just generates some test data-</P> <PRE><CODE>| makeresults | eval mydata = "NYC,book1,3 NYC,book2,5 NYC,book3,3 Boston,book1,32 Boston,book2,51 Boston,book3,32 Dallas,book1,13 Dallas,book3,13 Dallas,book2,15" |makemv mydata| mvexpand mydata |makemv delim="," mydata | eval Location=mvindex(mydata,0), Book=mvindex(mydata,1), Count=mvindex(mydata,2) | table Location, Book, Count </CODE></PRE> <P>This part sorts it and masks the RealLocation </P> <PRE><CODE>| sort 0 Location, Book | autoregress Location | rename Location as RealLocation | eval Location=if(RealLocation==Location_p1,"-",RealLocation) | table Location Book Count RealLocation </CODE></PRE> <P>With these results</P> <PRE><CODE>Location Book Count RealLocation Boston book1 32 Boston - book2 51 Boston - book3 32 Boston Dallas book1 13 Dallas - book2 15 Dallas - book3 13 Dallas NYC book1 3 NYC - book2 5 NYC - book3 3 NYC </CODE></PRE> Tue, 28 Feb 2017 19:56:19 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331419#M98604 DalJeanis 2017-02-28T19:56:19Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331420#M98605 <P>However, you might want to consider this format instead - </P> <PRE><CODE>|chart sum(Count) over Book by Location </CODE></PRE> <P>...which gives this result</P> <PRE><CODE>Book Boston Dallas NYC book1 32 13 3 book2 51 15 5 book3 32 13 3 </CODE></PRE> Tue, 28 Feb 2017 20:00:39 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331420#M98605 DalJeanis 2017-02-28T20:00:39Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331421#M98606 <P>It tried this command but I have the same result</P> <P><IMG src="http://www.hostingpics.net/viewer.php?id=385099img1.jpg" alt="alt text" /></P> Wed, 01 Mar 2017 08:33:00 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331421#M98606 Naaba 2017-03-01T08:33:00Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331422#M98607 <P>Hi,</P> <P>I tried your command but. The data are listed as I want but the count column is empty.<BR /> Do you know why?</P> Wed, 01 Mar 2017 08:36:19 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331422#M98607 Naaba 2017-03-01T08:36:19Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331423#M98608 <P>I made a mistake in my command.<BR /> It worked. thanks for your help</P> Wed, 01 Mar 2017 08:40:12 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331423#M98608 Naaba 2017-03-01T08:40:12Z https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331424#M98609 <P>Hi,</P> <P>Thanks for your help.<BR /> This worked for me :</P> <P>| stats sum(Count) as Count by Location Book<BR /> | stats list(Book) as Book list(Count) as Count by Location</P> Wed, 01 Mar 2017 08:57:43 GMT https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331424#M98609 Naaba 2017-03-01T08:57:43Z