Solved: Re: How do I add a count to a table using the tabl...

Svill321 · ‎07-06-2017

How do I add a count to a table using the table command? The project I'm working on requires that a table is mad showing the day of the week, followed by a list of the users who logged on that day and how many time the logged on. The output looks something like this:

=============================================
Wednesday          |                                  user1         |     5
                   |                                  user2         |     3
                   |                                  user3         |     4
                   |                                  user4         |     3
=============================================

I'm currently using this search to get some of what I need:

index=* date=* user=* | transaction date | table date user

But I can't get the count I need at the end. I tried appending a stats count:

index=* date=* user=* | transaction date | table date user | appendcols [search user=* | stats count by user]

But had no luck. Is there anyway to do this?

somesoni2 · ‎07-06-2017

I would do like this (totally avoiding transaction command), will give the output in expected format.

index=* date=* user=* | stats count by date user | stats list(user) as user list(count) as count by date

View solution in original post

somesoni2 · ‎07-06-2017

I would do like this (totally avoiding transaction command), will give the output in expected format.

index=* date=* user=* | stats count by date user | stats list(user) as user list(count) as count by date

Svill321 · ‎07-06-2017

You, my friend, are a saint! This works perfectly. Thanks!

sbbadri · ‎07-06-2017

... | addcoltotals labelfield=change_name label=count

How do I add a count to a table using the table command?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!