https://community.splunk.com/t5/Splunk-Search/How-to-organize-values-in-Statistics-search/m-p/370599#M109074 <P>First, verify whether there is an unprintable character between "Question? No" and "If yes, Question?". If so, we will need to key on that to split the data.</P> <P>If not, then the next question is, are the question stems always exactly the same wording, or a small set of alternatives? In that case, we can use a rex to extract them to individual fields using a regex such as one of the following....</P> <P>...if you want the questions and answers each separate...</P> <PRE><CODE>| rex field=myfield "(?&lt;Q1&gt;Question\?)\s*(?&lt;A1&gt;.*?)(?&lt;Q2&gt;If yes, Question\?)\s*(?&lt;A2&gt;.*?)(?&lt;Q3&gt;Does this even do something\?)\s*(?&lt;A3&gt;.*?)(?&lt;Q4&gt;Is the event a false positive\?)\s*(?&lt;A4&gt;.*?)(?&lt;Q5&gt;Ticket number:)\s*(?&lt;A5&gt;.*?)(?&lt;Q6&gt;Source Unique Identifier \(UI\):)\s*(?&lt;A6&gt;.*?)(?&lt;Q7&gt;Alert trigger time:)\s*(?&lt;A7&gt;.*?)(?&lt;Q8&gt;Event start time:)\s*(?&lt;A8&gt;.*)" </CODE></PRE> <P>...if you want each question and answer as a unit ...</P> <PRE><CODE>| rex field=myfield "(?&lt;Q1&gt;Question\?\s*.*?)(?&lt;Q2&gt;If yes, Question\?\s*.*?)(?&lt;Q3&gt;Does this even do something\?\s*.*?)(?&lt;Q4&gt;Is the event a false positive\?\s*.*?)(?&lt;Q5&gt;Ticket number:\s*.*?)(?&lt;Q6&gt;Source Unique Identifier \(UI\):\s*.*?)(?&lt;Q7&gt;Alert trigger time:\s*.*?)(?&lt;Q8&gt;Event start time:\s*.*)" </CODE></PRE> Tue, 09 May 2017 21:05:49 GMT DalJeanis 2017-05-09T21:05:49Z https://community.splunk.com/t5/Splunk-Search/How-to-organize-values-in-Statistics-search/m-p/370598#M109073 <P>Hi, I have a blob of text in both the title and description file, I've tried looking for how to seperate them when I am seraching but I have not found anything. It looks like </P> <P>Question? NoIf yes, Question? N/ADoes this even do something? N/AIs the event a false positive? YesTicket number: N/ASource Unique Identifier (UI): Alert trigger time: Date/time UTCEvent start time: Date/time </P> <P>etc</P> <P>I would like it to look like this<BR /> Question? No<BR /> If yes, Question? N/A<BR /> Does this even do something? N/A<BR /> Is the event a false positive? Yes<BR /> Ticket number: N/A<BR /> Source Unique Identifier (UI):<BR /><BR /> Alert trigger time: Date/time UTC<BR /> Event start time: Date/time </P> <P>The search I'm using is this </P> <P>| inputlookup append=t investigative_canvas_entries_lookup <BR /> | table _time creator owner title description canvas_id<BR /> | sort -_time </P> Tue, 29 Sep 2020 14:00:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-organize-values-in-Statistics-search/m-p/370598#M109073 ecm9210 2020-09-29T14:00:00Z https://community.splunk.com/t5/Splunk-Search/How-to-organize-values-in-Statistics-search/m-p/370599#M109074 <P>First, verify whether there is an unprintable character between "Question? No" and "If yes, Question?". If so, we will need to key on that to split the data.</P> <P>If not, then the next question is, are the question stems always exactly the same wording, or a small set of alternatives? In that case, we can use a rex to extract them to individual fields using a regex such as one of the following....</P> <P>...if you want the questions and answers each separate...</P> <PRE><CODE>| rex field=myfield "(?&lt;Q1&gt;Question\?)\s*(?&lt;A1&gt;.*?)(?&lt;Q2&gt;If yes, Question\?)\s*(?&lt;A2&gt;.*?)(?&lt;Q3&gt;Does this even do something\?)\s*(?&lt;A3&gt;.*?)(?&lt;Q4&gt;Is the event a false positive\?)\s*(?&lt;A4&gt;.*?)(?&lt;Q5&gt;Ticket number:)\s*(?&lt;A5&gt;.*?)(?&lt;Q6&gt;Source Unique Identifier \(UI\):)\s*(?&lt;A6&gt;.*?)(?&lt;Q7&gt;Alert trigger time:)\s*(?&lt;A7&gt;.*?)(?&lt;Q8&gt;Event start time:)\s*(?&lt;A8&gt;.*)" </CODE></PRE> <P>...if you want each question and answer as a unit ...</P> <PRE><CODE>| rex field=myfield "(?&lt;Q1&gt;Question\?\s*.*?)(?&lt;Q2&gt;If yes, Question\?\s*.*?)(?&lt;Q3&gt;Does this even do something\?\s*.*?)(?&lt;Q4&gt;Is the event a false positive\?\s*.*?)(?&lt;Q5&gt;Ticket number:\s*.*?)(?&lt;Q6&gt;Source Unique Identifier \(UI\):\s*.*?)(?&lt;Q7&gt;Alert trigger time:\s*.*?)(?&lt;Q8&gt;Event start time:\s*.*)" </CODE></PRE> Tue, 09 May 2017 21:05:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-organize-values-in-Statistics-search/m-p/370599#M109074 DalJeanis 2017-05-09T21:05:49Z