https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491601#M137229 <P>Thanks guys.</P> <P>All the above suggestions are working on this sample data.<BR /> But the first suggestion by @to4kawa worked for my actual data.</P> <P>The data was in text format only not sure, why other two was not working.</P> <P>Once again, thanks a lot for your suggestions</P> <P>Thanks<BR /> Nilesh</P> Tue, 17 Mar 2020 06:45:08 GMT nilbak1 2020-03-17T06:45:08Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491597#M137225 <P>I am running below Query</P> <P><CODE>| makeresults| eval data="Brand1,File1,123;Brand1,File2,456;Brand2,File1,789;Brand2,File2,124;Brand3,File1,125;Brand3,File2,786"| makemv data delim=";" | rex field=data max_match=0 "(?&lt;Brand&gt;\w+\d+),(?&lt;Files&gt;\w+\d+)\,(?&lt;Size&gt;\d+)" | fields - _time,data | table Brand,Size,Files| chart values(Size) over Files by Brand</CODE></P> <P>And want result in below format</P> <P>Files Brand1 Brand2 Brand3<BR /> File1 123 789 125<BR /><BR /> File2 456 124 786</P> <P>But result is coming as attached in picture. Whats wrong with the Query ?<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8529iC6797E7109D935FB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Fri, 13 Mar 2020 08:01:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491597#M137225 nilbak1 2020-03-13T08:01:08Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491598#M137226 <P>Hi</P> <P>Check this</P> <PRE><CODE>| makeresults | eval data="Brand1,File1,123;Brand1,File2,456;Brand2,File1,789;Brand2,File2,124;Brand3,File1,125;Brand3,File2,786" | makemv data delim=";" | mvexpand data | rex field=data max_match=0 "(?&lt;Brand&gt;\w+\d+),(?&lt;Files&gt;\w+\d+)\,(?&lt;Size&gt;\d+)" | fields Brand,Files,Size | eval {Brand}=Size | fields - Brand, Size | stats values(*) as * by Files </CODE></PRE> Fri, 13 Mar 2020 08:22:22 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491598#M137226 vnravikumar 2020-03-13T08:22:22Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491599#M137227 <P>Indeed. Key thing here is adding the <CODE>| mvexpand data</CODE>. Otherwise you are working with a single row, with multivalued fields, which results in the outcome as per the screenshot.</P> Fri, 13 Mar 2020 10:53:40 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491599#M137227 FrankVl 2020-03-13T10:53:40Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491600#M137228 <P>From your result:</P> <PRE><CODE>| makeresults | eval data="Brand1,File1,123;Brand1,File2,456;Brand2,File1,789;Brand2,File2,124;Brand3,File1,125;Brand3,File2,786" | makemv data delim=";" | rex field=data max_match=0 "(?&lt;Brand&gt;\w+\d+),(?&lt;Files&gt;\w+\d+)\,(?&lt;Size&gt;\d+)" | fields - _time,data | table Brand,Size,Files | rename COMMENT as "this is your sample , From here , the logic" | eval _counter = mvrange(0,mvcount(Brand)) | stats list(*) as * by _counter | foreach * [ eval &lt;&lt;FIELD&gt;&gt; = mvindex('&lt;&lt;FIELD&gt;&gt;' , _counter)] | xyseries Brand Files Size | transpose 0 header_field=Brand column_name=Files </CODE></PRE> <P>More efficient:</P> <PRE><CODE>| makeresults | eval data="Brand1,File1,123;Brand1,File2,456;Brand2,File1,789;Brand2,File2,124;Brand3,File1,125;Brand3,File2,786" | makemv data delim=";" | stats count by data | rex field=data "(?&lt;Brand&gt;\w+\d+),(?&lt;Files&gt;\w+\d+)\,(?&lt;Size&gt;\d+)" | fields - _time,data,count | chart sum(Size) by Files Brand </CODE></PRE> <P>Hi folks.<BR /> Maybe, you want to extract these from JSON.<BR /> I create two query, How about these?</P> Sun, 15 Mar 2020 05:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491600#M137228 to4kawa 2020-03-15T05:20:13Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491601#M137229 <P>Thanks guys.</P> <P>All the above suggestions are working on this sample data.<BR /> But the first suggestion by @to4kawa worked for my actual data.</P> <P>The data was in text format only not sure, why other two was not working.</P> <P>Once again, thanks a lot for your suggestions</P> <P>Thanks<BR /> Nilesh</P> Tue, 17 Mar 2020 06:45:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-below-Query/m-p/491601#M137229 nilbak1 2020-03-17T06:45:08Z