https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631062#M219196 <P>Unfortunately I have no control over the log data formatting...</P> <P>it is in format:&nbsp; Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...</P> <P>I have one field, Criteria, that has many values with embedded commas.</P> <P>Splunk search only give me the first value... I want all values treated as one in a stats count by</P> <P>I tried below to rewrite them, and do see the changes, but stats still getting only first value.</P> <P>index=myidx&nbsp; Msg=mymsg&nbsp; |&nbsp; rex mode=sed field=_raw "s/,/-/g"<BR />| bucket span=1d _time as ts<BR />| eval ts=strftime(ts,"%Y-%m-%d")<BR />| stats count by ts Criteria</P> <P>&nbsp;</P> Wed, 15 Feb 2023 20:54:10 GMT Yossarian622 2023-02-15T20:54:10Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631062#M219196 <P>Unfortunately I have no control over the log data formatting...</P> <P>it is in format:&nbsp; Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...</P> <P>I have one field, Criteria, that has many values with embedded commas.</P> <P>Splunk search only give me the first value... I want all values treated as one in a stats count by</P> <P>I tried below to rewrite them, and do see the changes, but stats still getting only first value.</P> <P>index=myidx&nbsp; Msg=mymsg&nbsp; |&nbsp; rex mode=sed field=_raw "s/,/-/g"<BR />| bucket span=1d _time as ts<BR />| eval ts=strftime(ts,"%Y-%m-%d")<BR />| stats count by ts Criteria</P> <P>&nbsp;</P> Wed, 15 Feb 2023 20:54:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631062#M219196 Yossarian622 2023-02-15T20:54:10Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631069#M219200 <P>It is unfortunate that the log isn't quoted as we would have liked. &nbsp;Fortunately, it is formatted well enough for kv aka <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Extract" target="_blank" rel="noopener">extract</A>&nbsp;command.</P><LI-CODE lang="markup">| kv pairdelim="|" ``` kvdelim defaults to "=" so it can be omitted ```</LI-CODE><P>&nbsp;</P> Wed, 15 Feb 2023 21:15:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631069#M219200 yuanliu 2023-02-15T21:15:11Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631079#M219207 <P>I added:&nbsp;&nbsp;| kv pairdelim="|"</P><P>but stats is still only showing me the first value before the comma</P><P>or - if i keep the&nbsp;rex mode=sed field=_raw "s/,/-/g"</P> Wed, 15 Feb 2023 21:51:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631079#M219207 Yossarian622 2023-02-15T21:51:11Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631080#M219208 <P>Sorry for misleading you about kvdelim. &nbsp;You still need it when the string is not quoted.</P><PRE>| makeresults | fields - _time | eval _raw = "Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|..." | kv pairdelim="|" kvdelim="="</PRE><TABLE><TBODY><TR><TD>Criteria</TD><TD>Field1</TD><TD>Field2</TD><TD>_raw</TD></TR><TR><TD>one,two,three,99.0</TD><TD>Value1</TD><TD>Value2</TD><TD>Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...</TD></TR></TBODY></TABLE><P>&nbsp;</P> Wed, 15 Feb 2023 21:54:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631080#M219208 yuanliu 2023-02-15T21:54:49Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631218#M219244 <P>sorry but I am still only getting the first value before the comma/hyphen.</P><P>do I need to re eval the whole line?</P> Thu, 16 Feb 2023 16:40:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631218#M219244 Yossarian622 2023-02-16T16:40:50Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631224#M219248 <P>sorry but I am still only getting the first value before the first comma</P><P>do I need to do a re eval</P><P>should I be using mvindex in some form?</P> Thu, 16 Feb 2023 17:13:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631224#M219248 Yossarian622 2023-02-16T17:13:01Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631284#M219269 <P>Let's go back to your data. &nbsp;The illustrated format, is it raw event or is it from one field? &nbsp;What is the command that you last tried?</P> Fri, 17 Feb 2023 06:33:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-with-a-value-containing-commas/m-p/631284#M219269 yuanliu 2023-02-17T06:33:44Z