https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369284#M108795 <P>Hi @jpayne1</P> <P>Can you please try below search?</P> <PRE><CODE>... | rex field=Names ".*(?&lt;Flag&gt;Bill).*" | fillnull value=" " Flag | eval tempField= mvzip(mvzip(Flag,names),Address) | stats count by tempField | eval Flag = mvindex(split(tempField,","),0), names= mvindex(split(tempField,","),1), Address=mvindex(split(tempField,","),2) | table Address Flag Names </CODE></PRE> <P>Thanks</P> Tue, 14 Nov 2017 05:21:20 GMT kamlesh_vaghela 2017-11-14T05:21:20Z https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369282#M108793 <P>list(x) does not return all values. If I have white space as my value, list omits it. Here is a simplified example of my use case:</P> <P>Desired output:</P> <PRE><CODE> Address Flag Names ---------------------------- IP1 Jack Jill IP2 Todd Tammy IP3 Bill Bill Bob </CODE></PRE> <P>Partial code snippet:</P> <PRE><CODE>... | rex field=Names ".*(?&lt;Flag&gt;Bill).*" | fillnull value=" " Flag | stats list(Flag) list(names) by Address </CODE></PRE> <P>But I'm getting:</P> <PRE><CODE> Address Flag Names ---------------------------- IP1 Bill Jack Jill IP2 Todd Tammy IP3 Bill Bob </CODE></PRE> <P>I tried using a fillnull value of 0, running the list command, then replacing the 0 with " ", but this still doesn't preserve the order. The value Bill shoots back up to the first line as soon as I replace the zeros.</P> <P>I'm currently using a table instead, but this adds a lot more rows and is not as easy to read, especially if an IP has many records. I could change fillvalue to a non-whitespace character, but that would look a bit sloppy to the end user, although it is better than resorting to table.</P> <P>Has anyone else dealt with this? Should I be going at this a completely different way than list? </P> Tue, 14 Nov 2017 01:43:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369282#M108793 jpayne1 2017-11-14T01:43:38Z https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369283#M108794 <P>@jpayne1, try the following <CODE>searchmatch()</CODE> command instead of <CODE>rex</CODE>:</P> <PRE><CODE> &lt;YourBaseSearch&gt; | eval Flag=if(searchmatch("\&lt;Flag\&gt;Bill"),"Bill","NA") | stats list(Flag) as Flag list(names) as Names by Address </CODE></PRE> <P>Can your data have multiple values of Flag and Names for same IP Addresses? Can you please share the data for IP1, IP2 and IP3? Specially the <CODE>&lt;Flag&gt;</CODE> portion of the code as to what it looks like when the value is not <CODE>Bill</CODE>? You can mock anonymize data if required.</P> Tue, 14 Nov 2017 02:08:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369283#M108794 niketn 2017-11-14T02:08:11Z https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369284#M108795 <P>Hi @jpayne1</P> <P>Can you please try below search?</P> <PRE><CODE>... | rex field=Names ".*(?&lt;Flag&gt;Bill).*" | fillnull value=" " Flag | eval tempField= mvzip(mvzip(Flag,names),Address) | stats count by tempField | eval Flag = mvindex(split(tempField,","),0), names= mvindex(split(tempField,","),1), Address=mvindex(split(tempField,","),2) | table Address Flag Names </CODE></PRE> <P>Thanks</P> Tue, 14 Nov 2017 05:21:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-list-x-include-all-values/m-p/369284#M108795 kamlesh_vaghela 2017-11-14T05:21:20Z