Do all the fields have values in all the events or are you only getting stats for events where none of these fields are empty?

To add to your question, it all depends on the Security Center scan data once ingested into Splunk.   The fields don't necessarily have to have value (it all depends on the scan results.  

For your stats command, all the fields mentioned in the by clause need to have values in all the events you want to include in the stats. Since you have some events without values for some of the fields, this will be why the numbers are not coming out as you expected.

Good morning,

So I attempted the following and I am able to get some of the information.   

index=acas sourcetype="tenable:sc:vuln" ( severity=crtiical OR severity=high ) eval lastSeen=strftime(lastSeen, "%m-%d-%Y") | stats count by ip, repository.dataFormat, netbiosName, dnsName, host, macAddress, operationSystem, family.name, version 

I am trying to get the rest of the information but I think it is related to the naming convention.   Not exactly sure how to get the other fields (System Manufacture, System Serial Number, System Model, AWS Account Number, AWS Instance ID #, AWS ENI, System location, and System Purpose)

If the field names have embedded spaces or other special characters, they should be in single quotes.

I am trying to create a query that can provide an output of a Security Center scan.   The output should be able to provide the following in the same order:

1.) IP Address

2.) DNS Name

3.) System Name 

4.) MAC address

5.) OS Type

6.) OS Version

7.) OS Build

8.) System Manufacture 

9.) System Serial Number

10.) System Model

11.) AWS Account Number

12.) AWS Instance ID number

To answer your question there should be values for each category but if there is none then that is ok as well.