https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562060#M195472 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237124">@samdjava</a>&nbsp;</P><P>To extract value from raw event use below search.</P><LI-CODE lang="markup">YOUR_SEARCH | rex field=_raw "actionKey=(?&lt;actionKey&gt;[^,]+),\sconfidenceScore=(?&lt;confidenceScore&gt;[^,]+),\smodelName=(?&lt;modelName&gt;[^,]+),\sprogramName=(?&lt;programName&gt;[^}]+)" max_match=0 | eval t=mvzip(mvzip(mvzip(actionKey,confidenceScore),modelName),programName) | mvexpand t | eval actionKey = mvindex(split(t,","),0) ,confidenceScore= mvindex(split(t,","),1),modelName= mvindex(split(t,","),2),programName= mvindex(split(t,","),3) | fields - t</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="Request{userId='6699249',channelWise='SOCIAL', cid='1627958668279-9a93682610ee1c700c7e5d4ad01e8c76207274', sid=b8d2a070-f404-11eb-9cf4-5d474ec9ecbc, mlrecopred=[{actionKey=search, confidenceScore=83.46, modelName=model_forrest, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=82.94, modelName=model_forrest, programName=sapbased}, {actionKey=inventory_check, confidenceScore=65.21, modelName=model_forrest, programName=sapbased}, {actionKey=search, confidenceScore=63.46, modelName=event_handler, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=55.45, modelName=event_handler, programName=sapbased}], interactionId=0d6b031fdddba957, uniqueId='ed064f15d49c70ea7f540f7fe2ed2b7083e6eef8760f645f05d6600ad1208c3d'}" | rex field=_raw "actionKey=(?&lt;actionKey&gt;[^,]+),\sconfidenceScore=(?&lt;confidenceScore&gt;[^,]+),\smodelName=(?&lt;modelName&gt;[^,]+),\sprogramName=(?&lt;programName&gt;[^}]+)" max_match=0 | eval t=mvzip(mvzip(mvzip(actionKey,confidenceScore),modelName),programName) | mvexpand t | eval actionKey = mvindex(split(t,","),0) ,confidenceScore= mvindex(split(t,","),1),modelName= mvindex(split(t,","),2),programName= mvindex(split(t,","),3) | fields - t | de</LI-CODE><P>&nbsp;</P><P>For Unique event you can use below search</P><LI-CODE lang="markup">| dedup actionKey, modelName, programName</LI-CODE><P>&nbsp;</P><P>Use below search for filter event</P><LI-CODE lang="markup">| where confidenceScore &gt; 70.00</LI-CODE><P>&nbsp;</P><P>KV</P> Wed, 04 Aug 2021 11:25:37 GMT kamlesh_vaghela 2021-08-04T11:25:37Z https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562056#M195469 <P>I would like to find</P><P>1. all unique combination of actionKey, modelName, programName</P><P>2. only consider data if they have a confidence score &gt; 70.00</P><P>Splunk Raw Log -</P><LI-CODE lang="markup">2021-08-04 07:35:39,069 INFO [boundedElastic-87] [traceId="a4d01423048aa5de"] Request{userId='6699249',channelWise='SOCIAL', cid='1627958668279-9a93682610ee1c700c7e5d4ad01e8c76207274', sid=b8d2a070-f404-11eb-9cf4-5d474ec9ecbc, mlrecopred=[{actionKey=search, confidenceScore=83.46, modelName=model_forrest, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=82.94, modelName=model_forrest, programName=sapbased}, {actionKey=inventory_check, confidenceScore=65.21, modelName=model_forrest, programName=sapbased}, {actionKey=search, confidenceScore=63.46, modelName=event_handler, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=55.45, modelName=event_handler, programName=sapbased}], interactionId=0d6b031fdddba957, uniqueId='ed064f15d49c70ea7f540f7fe2ed2b7083e6eef8760f645f05d6600ad1208c3d'} </LI-CODE> Wed, 04 Aug 2021 11:08:57 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562056#M195469 samdjava 2021-08-04T11:08:57Z https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562060#M195472 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237124">@samdjava</a>&nbsp;</P><P>To extract value from raw event use below search.</P><LI-CODE lang="markup">YOUR_SEARCH | rex field=_raw "actionKey=(?&lt;actionKey&gt;[^,]+),\sconfidenceScore=(?&lt;confidenceScore&gt;[^,]+),\smodelName=(?&lt;modelName&gt;[^,]+),\sprogramName=(?&lt;programName&gt;[^}]+)" max_match=0 | eval t=mvzip(mvzip(mvzip(actionKey,confidenceScore),modelName),programName) | mvexpand t | eval actionKey = mvindex(split(t,","),0) ,confidenceScore= mvindex(split(t,","),1),modelName= mvindex(split(t,","),2),programName= mvindex(split(t,","),3) | fields - t</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="Request{userId='6699249',channelWise='SOCIAL', cid='1627958668279-9a93682610ee1c700c7e5d4ad01e8c76207274', sid=b8d2a070-f404-11eb-9cf4-5d474ec9ecbc, mlrecopred=[{actionKey=search, confidenceScore=83.46, modelName=model_forrest, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=82.94, modelName=model_forrest, programName=sapbased}, {actionKey=inventory_check, confidenceScore=65.21, modelName=model_forrest, programName=sapbased}, {actionKey=search, confidenceScore=63.46, modelName=event_handler, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=55.45, modelName=event_handler, programName=sapbased}], interactionId=0d6b031fdddba957, uniqueId='ed064f15d49c70ea7f540f7fe2ed2b7083e6eef8760f645f05d6600ad1208c3d'}" | rex field=_raw "actionKey=(?&lt;actionKey&gt;[^,]+),\sconfidenceScore=(?&lt;confidenceScore&gt;[^,]+),\smodelName=(?&lt;modelName&gt;[^,]+),\sprogramName=(?&lt;programName&gt;[^}]+)" max_match=0 | eval t=mvzip(mvzip(mvzip(actionKey,confidenceScore),modelName),programName) | mvexpand t | eval actionKey = mvindex(split(t,","),0) ,confidenceScore= mvindex(split(t,","),1),modelName= mvindex(split(t,","),2),programName= mvindex(split(t,","),3) | fields - t | de</LI-CODE><P>&nbsp;</P><P>For Unique event you can use below search</P><LI-CODE lang="markup">| dedup actionKey, modelName, programName</LI-CODE><P>&nbsp;</P><P>Use below search for filter event</P><LI-CODE lang="markup">| where confidenceScore &gt; 70.00</LI-CODE><P>&nbsp;</P><P>KV</P> Wed, 04 Aug 2021 11:25:37 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562060#M195472 kamlesh_vaghela 2021-08-04T11:25:37Z https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562061#M195473 <LI-CODE lang="markup">| makeresults | eval _raw="2021-08-04 07:35:39,069 INFO [boundedElastic-87] [traceId=\"a4d01423048aa5de\"] Request{userId='6699249',channelWise='SOCIAL', cid='1627958668279-9a93682610ee1c700c7e5d4ad01e8c76207274', sid=b8d2a070-f404-11eb-9cf4-5d474ec9ecbc, mlrecopred=[{actionKey=search, confidenceScore=83.46, modelName=model_forrest, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=82.94, modelName=model_forrest, programName=sapbased}, {actionKey=inventory_check, confidenceScore=65.21, modelName=model_forrest, programName=sapbased}, {actionKey=search, confidenceScore=63.46, modelName=event_handler, programName=sapbased}, {actionKey=shipping_and_delivery, confidenceScore=55.45, modelName=event_handler, programName=sapbased}], interactionId=0d6b031fdddba957, uniqueId='ed064f15d49c70ea7f540f7fe2ed2b7083e6eef8760f645f05d6600ad1208c3d'}" | rex "mlrecopred=\[(?&lt;mlrecopred&gt;[^\]]+)" | rex max_match=0 field=mlrecopred "\{(?&lt;keyvalues&gt;[^\}]+)\}" | mvexpand keyvalues | eval raw=_raw, _raw=keyvalues | extract pairdelim="," kvdelim="=" | where confidenceScore &gt; 70 | dedup actionKey modelName programName | table actionKey modelName programName</LI-CODE> Wed, 04 Aug 2021 11:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562061#M195473 ITWhisperer 2021-08-04T11:27:01Z https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562068#M195476 <P>Thanks for helping out</P> Wed, 04 Aug 2021 12:28:58 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-list-of-unique-combination/m-p/562068#M195476 samdjava 2021-08-04T12:28:58Z