Finally got back to this:

Found this post:
http://splunk-base.splunk.com/answers/56425/counting-distinct-field-values-and-dislaying-count-and-v...

Using this idea I did something like this.
| stats count by SourceName host | search count > 2 | table SourceName, host, count | sort -count

Not the way I really wanted it but it works.

Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Apprechiate the response still not acting like I want. Maybe an example best.

    host    DnsApi  Kerberos    Microsoft-Windows-GroupPolicy   Microsoft-Windows-Resource-Exhaustion-Detector  Microsoft-Windows-Service Control Manager   Microsoft-Windows-Time-Service  PlugPlayManager     Print   Service Control Manager Eventlog Provider   TermServDevices
1   CLAIMS  0   0   0   0   0   0   0   2   0   0
2   DIVSRV  0   0   0   0   0   6   0   0   0   0
3   MQVMa   0   0   0   0   0   0   226 0   0   0
4   MQVMb   0   0   0   0   0   0   0   0   0   1
5   PASSEXTN1   0   0   28  0   0   0   0   0   0   0
6   RHEDOC  0   0   0   0   0   0   0   0   0   1
7   VIPPsrv 1   0   0   0   0   7   0   0   0   0

I want to drop off systems like MQVMb, RHEDOC since they only have a count of one in any of the columns.

When I do the suggested way or anything where I seem to conditional count I loose systems lineMQVMa and the 226 or PASSEXTn1 28.

Sure I am just not building out the search correctly from the git go.

I would use a where clause and stats. Keep in mind I am doing this off the cuff.

...|stats count by host, SourceName| where count>5 | chart count over host by SourceName

This may get you closer. Also might work better with subsearch.

...|stats count by host, SourceName| streamstats sum(count) as total_count by host |selfjoin  host |where total_count>5 | chart count over host by SourceName