Try now with this, i used untable command
index=_internal sourcetype=splunkd NOT host=chsxspl* component=TcpOutputProc log_level=INFO splunk_server_group=ewe earliest=-15m
| rex field=idx "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| eval splunk_environment=case(cidrmatch("xx.xx.xx.0/24",ip_address), "Splunk 4", cidrmatch("xx.xx.xx.0/24",ip_address), "Splunk 6")
| stats dc(host) as server_count by host, splunk_environment
| rex field=host "^(?\S+[^0-9])\d+"
| eval server_cluster = upper(server_cluster)
| chart sum(server_count) as servercount by server_cluster, splunk_environment
| untable server_cluster splunk_environment servercount
| where (servercount! =" ") AND splunk_environment = (" splunk 6") AND (server_cluster=" HOST3" ) AND (server_cluster="HOST4")
| chart servercount by server_cluster, splunk_environment
| rename server_cluster as "Server Clusters"
| addcoltotals
I test it with search that follow:
index=_internal | chart count by sourcetype, user |head 10 |untable sourcetype user count | where (count!=0) AND (user="admin") |chart count by sourcetype, user
... View more