How to count results in Splunk and put them in a table?

Question

I am trying to create a table in Splunk that contains several fields that were extracted plus a count of the total number entries that get returned when I give Splunk a string to search for. The issue I am having is that when I use the stats command to get a count of the results that get returned and pipe it to the table, it just leaves all of the fields blank but show a value for the count of the results returned. Without the count logic, the table shows all of the values I am after. Below is my example query:

index=test "Failed to find file"
| table host, sourceUser, sourceApp, source
| rename host as "Server", sourceUser as "User", sourceApp as "Application", source as "Log"

Here are the example results (in two line CSV since I can't post a pic):

Server,User,Application,Log

myserver1,joesmith,RadomApp,C:\Users\Joe\Log.txt

That will return all of the fields I asked for. If I add the stats command (like shown below), it returns a table with all of the columns but the only one that has data is the "Error Count" column:

index=test "Failed to find file"
| stats count as error
| table host, sourceUser, sourceApp, source, error
| rename host as "Server", sourceUser as "User", sourceApp as "Application", source as "Log", error as "Error Count"

Example results:

Server,User,Application,Log,ErrorCount

,,,,1

Any idea of what the best way to go about this is?

Answer 1

Someone I know came up with the solution, I needed to change the 'stats' line so that the final query looks like this:

index=test "Failed to find file"
| stats count as error by host, sourceUser, sourceApp, source
| table host, sourceUser, sourceApp, source, error
| rename host as "Server", sourceUser as "User", sourceApp as "Application", source as "Log", error as "Error Count"