Counting by table with splunk - consolidate like fields

I have the following | stats count by HOST, USER, COMMAND | table HOST USER COMMAND count and it gives me a list of what I expect, but I can't seem to figure out how to consolidate HOST and USER and just count how many commands there were so it's just one row.

I'm pretty sure I'm supposed to use list in some way but my results still don't seem to consolidate correctly. Any clues?

I'm trying like this:

 stats list(HOST) as HOST list(USER) as USER count(COMMAND) list(count) as count by COMMAND

Solution

Try this:

| stats values(COMMAND) as COMMAND by HOST USER

How to set a token on a post-process query?
How to do cross validation and counts between two search queries using Multisearch
Formatting the timezone in a way that is parseable
How to show result of a count within a count in Splunk
Splunk Rex Expression
Monolog - each line of log is logged as a new entry
Combine paths to one output in Splunk
How to determine the length of an array field in Splunk?
Splunk sub search join returning null values
Splunk query to find those final results that has events with unique combination of values of two keys in results of main search criteria
login-info.cfg Splunk file semantic and structure
Splunk SignalFX Synthetics: Is it possible to retrieve environment variable values in Javascript
query splunk query joining 2 data tables
Form a results table view from splunk multiple logs
Exclude unnecessary logs being sent to splunk cloud platform
How to Attach Splunk Search Results In JIra Via Terraform Automation?
Regex Substitue only on a specific group - sedcmd (Splunk)
Regex to only return matches when followed by a specific word
embeding conf files into helm chart
Splunk Logs for Faster Queries, with Category Boolean true
How to create a timechart in splunk for the timestamp and extracted field?
Match regex named group up until optional word
How can I access the TraceId generated by splunk-otel-collector within an ASP.NET web application?
Splunk result in Table format
Splunk: How to compute the difference of timestamps by id?
SPLUNK: How can I count events by location with a list of SERVERNAME's?
How to represent difference between same fields from two different and simultaneous searches in a table format in Splunk?
Java 11 HttpClient - POST issue
Flume sink to Splunk?
Questions related to splunk builtin macros in correlation search