1.  index=abc source="/opt/src/datasource.tmp" | dedup _raw | table Servers | stats count(Servers) as Total 2.  index=abc source="/opt/src/datasource.tmp" | dedup _raw | table CompletedServers | stats count(CompletedServers) as Completed As @PickleRick points out, these searches you posted reveal potentially deeper problems that is your data.  If there is a need to dedup _raw, you should try clean up data first.  Also, there should never be two separate index searches using the same source.  PickleRick already illustrated a single search to get the same counts.   Let me further point out that most likely, the two searches produce the exact same count if Servers and CompletedServers appear in the same events. But back to your original table ServerName             UpgradeStatus ==========         ============= Server1                     Completed Server2                     Completed Server3                     Completed Server4                     Completed Server5                     Completed Server6                     Completed Server7                     Pending Server8                     Pending Server9                     Pending Server10                  Pending Obviously, neither of your searches will provide those "Pending" ones.  When asking a question in a public forum, it is really important to explain your input and output.  It is obvious that you did not think @sainag_splunk's and my previous answers did not give you the solution because you didn't even have the table. Because If you did, either of our searches will have given you the table you needed. So, I venture to guess that the real question is how to derive the first table from the index data you have.  Once this table is formed, either of our suggestions would have given you the display you wanted.  Is this correct? Back to the problem of UpgradeStatus.  When I point out that your searches do not produce Pending values, the big question is: What is in CompletedStatus?  Does it give "Completed" for some ServerName, and "Pending" for others?  And what is the field name that gives you ServerName?  Is it Servers used in your first search? If both are true, and that ServerName and CompletedStatus appear in the same events, the solution is as simple as index=abc source="/opt/src/datasource.tmp" | stats dc(Servers) as count by CompletedStatus | eventstats sum(count) as total | eval count = count . " (" . round(count / total * 100) . "%)" | fields - total | transpose header_field=CompletedStatus | fields - column In other words, all that change from my previous answer is field names that I guess from the two meaningless searches. Here are my four commandments of asking answerable data analytics questions: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at. Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious. Volunteers are not your mind readers.  It is unfair to ask unanswerable questions here. ... View more

Sorry its not complete. Can you help me with complete query to achieve above result. First need to get Final status then display the final status count based on dropdown selection like department, Location, Company.    I have given the sample.csv raw data. Can you give me single value count query to  get the final status count for servers and then again display the the count based on department, location or company dropdown selection.     ... View more

Sorry, but I still can't understand what the problem is (true, that can be my fault). I'm not sure if you want something different than <search by your conditions> | stats values(status) by host <and the rest of split fields> | eval finalstatus=if(status="No","No","Yes") | stats count by <your split fields> finalstatus ... View more

| makeresults count=5 | fields - _time | streamstats count as row | eval database1=mvindex(split("ABCDE",""),row - 1) | fields - row | appendcols [| makeresults count=7 | streamstats count as row | eval database2=mvindex(split("ABCEFGH",""),row - 1) | fields - row] | eval result=database2 ... View more

@ITWhisperer  Yes that's right. Once in a week the the progress data file will be pushed to Splunk. So how can we compare previous week and this week data for Training completion percentage? So that i know the progress from the last week to this week.   I can post a new question if needed 🙂  ... View more

Hi @Mallik657, did you see the Splunk Dashboard Examples App I mentioned? This app was done just for people without experiences in dashboarding. In the Single Value element dashboard, you can see how to put in the same row more Single Value Panels. You have to adapt this approach to your searches and make the same thing for each value of OS Type. Then, when you created your table dashboard, you can see the second problem: too many searches in one dashboard make the dashboard too slow for working, the solution is Post Process Search. About Post Process Search, in the Splunk Dashboard Examples App, in the Dashboard called Poste Process Search you have a description about how to implement this approach. I could send you an example of an already done table of 5x5 Single Value Panels, but if you aren't able to see the Dashboard Examples App, it will not be useful. So start to analyze and use the Splunk Dashboard Examples App to solve your problem and probably also others. Ciao. Giuseppe ... View more