Yes, additional modification is needed. Referencing the OP, neither of the queries you provided, resulted in what I'm trying to do. However they do provide the expected output from those queries... Consider the following csv stigid,dnsName,,,,,
WIN-10-0001,Test01,,,,,
WIN-10-0003,Test01,,,,,
WIN-10-0004,Test01,,,,,
WIN-10-0001,Test02,,,,,
WIN-10-0003,Test02,,,,,
WIN-10-0004,Test02,,,,,
WIN-10-0001,Test03,,,,,
WIN-10-0003,Test03,,,,,
WIN-10-0004,Test03,,,,,
WIN-10-0011,Test02,,,,,
WIN-10-0013,Test01,,,,,
WIN-10-0014,Test03,,,,,
WIN-10-0011,Test01,,,,,
WIN-10-0013,Test01,,,,,
WIN-10-0014,Test01,,,,, This CSV assumes all the stigid and hostnames have "Passes". I know that they only 'dnsName' that "Passed" all stigid checks is 'Test01'. In the OP, I'm trying to figure out a way to return how many 'dnsName's have "Passed" all queries. If I use the query below, I get very close: | inputlookup test_kv.csv | eventstats count by dnsName, stigid | stats list(stigid) as id by dnsName | stats count by id This results in the table below: id count WIN-10-0001 3 WIN-10-0003 3 WIN-10-0004 3 WIN-10-0011 2 WIN-10-0013 2 WIN-10-0014 2 This shows me that for the 6 stigid's, only 3 dnsNames have passed 3 of those stigids. However, this is not what I'm trying to do. I know that 'Test01' passed across all 6 I'd like to build a query that reflects that, in this example, only 1 dnsName passed across all stigids.
... View more