https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439272#M124973 <P>Hi @ramesh12345</P> <P>Try this rex</P> <PRE><CODE>| makeresults | eval comments="Case:1111 Worked persons: Raju,Ramu,rahul" | appendpipe [| eval comments="Case:1112 Worked persons: Ramu,rahul"] | rex field=comments "Case:(?P&lt;CaseNumber&gt;.\d+).+\:\s(?P&lt;Names&gt;.+)$" | makemv delim="," Names | mvexpand Names | stats count by Names </CODE></PRE> Wed, 13 Mar 2019 13:58:05 GMT vnravikumar 2019-03-13T13:58:05Z https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439271#M124972 <P>Hi,</P> <P>We have closed cases and escalated cases,in that single person can work on particular case as well as multiple persons worked on particular case.So my requirement is to display in bar chart how many cases resolved and escalated by person.</P> <PRE><CODE>Ex: Case:1111 Worked persons: Raju,Ramu,rahul Case:1112 Worked persons: Ramu,rahul Case:1113 Worked persons: Raju Case:1115 Worked persons: Ramu </CODE></PRE> <P>So my chart should be </P> <PRE><CODE>Raju count is 2 Ramu count is 2 rahul count is 1 like this </CODE></PRE> <P>My Basic search is:</P> <PRE><CODE>index="os" sourcetype="Service" CaseNumber=* status=* assignment_group=* |dedup _time,CaseNumber,assignment |streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber|lookup test.csv check as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment!=lg AND assignment="Sustaining",1,NULL) |eval is_resolved=if(assignment="Sustaining" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" assigned_to,TeamName| fields - TeamName </CODE></PRE> <P>I retrieved the names from comments using below search:</P> <PRE><CODE>index="os" sourcetype="Service" CaseNumber=*|dedup _time,CaseNumber,status|rex field=Comments"(?\w*\W*\w*\s*\w*\s*\s\(\d+\))" |stats values(Names) as Names by CaseNumber|nomv Names|table CaseNumber,Names,status </CODE></PRE> <P>So I want to display resolved and escalated cases by name.Please help how to do this.</P> Wed, 13 Mar 2019 12:27:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439271#M124972 ramesh12345 2019-03-13T12:27:42Z https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439272#M124973 <P>Hi @ramesh12345</P> <P>Try this rex</P> <PRE><CODE>| makeresults | eval comments="Case:1111 Worked persons: Raju,Ramu,rahul" | appendpipe [| eval comments="Case:1112 Worked persons: Ramu,rahul"] | rex field=comments "Case:(?P&lt;CaseNumber&gt;.\d+).+\:\s(?P&lt;Names&gt;.+)$" | makemv delim="," Names | mvexpand Names | stats count by Names </CODE></PRE> Wed, 13 Mar 2019 13:58:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439272#M124973 vnravikumar 2019-03-13T13:58:05Z https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439273#M124974 <P>Could you please send me the final query.</P> Wed, 13 Mar 2019 14:11:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439273#M124974 ramesh12345 2019-03-13T14:11:38Z https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439274#M124975 <P>But my problem is whenever we write the condition eval is_resolved=if(assignment="Sustaining" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL).it is showing only one person name.i want to assign that case to all who worked on that case.</P> Wed, 13 Mar 2019 14:42:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-names-from-comments-and-assign-values-to-those/m-p/439274#M124975 ramesh12345 2019-03-13T14:42:07Z