https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489874#M136824 <P><STRONG>MY SPL</STRONG></P> <P>(index=* source="/var/log/authlog" "sudo" AND ("<EM>tar -x*f</EM>" OR "<EM>pkg install</EM>" OR "<EM>pkg uninstall</EM>")) OR (index=* source="/var/log/authlog" "<EM>Accepted</EM>" "ssh*") </P> <P>| regex _raw!= ".<EM>which.</EM>"<BR /> | regex _raw!= ".<EM>man.</EM>"<BR /> | regex _raw!= ".<EM>user NOT in sudoers.</EM>"<BR /> | rex field=_raw ".<EM>(?&lt;=])\s</EM>(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=:).<EM>(?&lt;=COMMAND=)(?P.</EM>)"<BR /> | rex field=_raw ".<EM>(?&lt;=for)\s</EM>(?P[[:alnum:]]\S*[[:alnum:]])(?=\sfrom).<EM>(?&lt;=from)\s</EM>(?[[:digit:]]+.[[:digit:]]+.[[:digit:]]+.[[:digit:]]+)(?=\sport)" </P> <P>| eval "Command/Events" = replace(command,"^(\/usr\/bin\/|\/usr\/sbin\/)","")<BR /> | eval Time = case(match(_raw,".<EM>sudo.*COMMAND.</EM>"),strftime(_time, "%Y-%d-%m %H:%M:%S"))<BR /> | eval Date=strftime(_time, "%Y-%d-%m")<BR /> | eval "Report ID" = "ABLR-028"</P> <P>| stats values(Time) as Time list("Command/Events") as "Command/Events" values(ip_address) as ip by Users host index Date "Report ID"<BR /> | where Time !=""</P> <P><IMG src="https://community.splunk.com/storage/temp/291636-qn1.png" alt="alt text" /></P> <P>Result... </P> <P>Row 1</P> <P>b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:50:17, pkg uninstall vsftpd (10.54.32.2,10.54.32.32)<BR /> Ip address as multivalue field</P> <P>Row 2</P> <P>b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:54:49, pkg uninstall rsyslog (10.54.32.2,10.54.32.32)<BR /> Ip address as multivalue field</P> Wed, 30 Sep 2020 05:16:47 GMT xnx_1012 2020-09-30T05:16:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489874#M136824 <P><STRONG>MY SPL</STRONG></P> <P>(index=* source="/var/log/authlog" "sudo" AND ("<EM>tar -x*f</EM>" OR "<EM>pkg install</EM>" OR "<EM>pkg uninstall</EM>")) OR (index=* source="/var/log/authlog" "<EM>Accepted</EM>" "ssh*") </P> <P>| regex _raw!= ".<EM>which.</EM>"<BR /> | regex _raw!= ".<EM>man.</EM>"<BR /> | regex _raw!= ".<EM>user NOT in sudoers.</EM>"<BR /> | rex field=_raw ".<EM>(?&lt;=])\s</EM>(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=:).<EM>(?&lt;=COMMAND=)(?P.</EM>)"<BR /> | rex field=_raw ".<EM>(?&lt;=for)\s</EM>(?P[[:alnum:]]\S*[[:alnum:]])(?=\sfrom).<EM>(?&lt;=from)\s</EM>(?[[:digit:]]+.[[:digit:]]+.[[:digit:]]+.[[:digit:]]+)(?=\sport)" </P> <P>| eval "Command/Events" = replace(command,"^(\/usr\/bin\/|\/usr\/sbin\/)","")<BR /> | eval Time = case(match(_raw,".<EM>sudo.*COMMAND.</EM>"),strftime(_time, "%Y-%d-%m %H:%M:%S"))<BR /> | eval Date=strftime(_time, "%Y-%d-%m")<BR /> | eval "Report ID" = "ABLR-028"</P> <P>| stats values(Time) as Time list("Command/Events") as "Command/Events" values(ip_address) as ip by Users host index Date "Report ID"<BR /> | where Time !=""</P> <P><IMG src="https://community.splunk.com/storage/temp/291636-qn1.png" alt="alt text" /></P> <P>Result... </P> <P>Row 1</P> <P>b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:50:17, pkg uninstall vsftpd (10.54.32.2,10.54.32.32)<BR /> Ip address as multivalue field</P> <P>Row 2</P> <P>b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:54:49, pkg uninstall rsyslog (10.54.32.2,10.54.32.32)<BR /> Ip address as multivalue field</P> Wed, 30 Sep 2020 05:16:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489874#M136824 xnx_1012 2020-09-30T05:16:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489875#M136825 <PRE><CODE>... | eval "Report ID" = "ABLR-028" | stats values(Time) as Time list("Command/Events") as "CE" list(ip_address) as ip by Users host index Date "Report ID" | where Time !="" | rename "Report ID" as Rid | eval counter=mvrange(0,mvcount(Time)) | streamstats count as sessions | stats list(*) as * by sessions counter | foreach Time CE ip [ eval &lt;&lt;FIELD&gt;&gt; = mvindex('&lt;&lt;FIELD&gt;&gt;', counter)] | rename Rid as "Report ID" ,CE as "Command/Events" | fields - counter sessions </CODE></PRE> Fri, 01 May 2020 09:33:49 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489875#M136825 to4kawa 2020-05-01T09:33:49Z https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489876#M136826 <P>Thank you so much <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> got the results I wanted</P> Fri, 01 May 2020 15:31:24 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-stats-into-rows/m-p/489876#M136826 xnx_1012 2020-05-01T15:31:24Z