Unfortunately I have no control over the log data formatting...
it is in format: Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...
I have one field, Criteria, that has many values with embedded commas.
Splunk search only give me the first value... I want all values treated as one in a stats count by
I tried below to rewrite them, and do see the changes, but stats still getting only first value.
index=myidx Msg=mymsg | rex mode=sed field=_raw "s/,/-/g"
| bucket span=1d _time as ts
| eval ts=strftime(ts,"%Y-%m-%d")
| stats count by ts Criteria
Sorry for misleading you about kvdelim. You still need it when the string is not quoted.
| makeresults | fields - _time | eval _raw = "Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|..." | kv pairdelim="|" kvdelim="="
|one,two,three,99.0||Value1||Value2||Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...|