@ashriram 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "user=(?<user>[^,]*),ip=(?<ip>[^,]*),(?<keys>[^\n]*)"
| rex field=keys "key\d=(?<k>[^\n|,]*)" max_match=0
| stats sum(k) as key_sum by ip user

you can changes as per your requirement like

| stats sum(k) as key_sum by ip

| stats sum(k) as key_sum by user

My Sample Search :

| makeresults | eval raw="user=user1,ip=10.10.10.10,key1=10,key2=30|user=user2,ip=10.10.10.10,key1=5,key3=30|user=user1,ip=10.10.10.12,key2=10,key3=30,key4=2,key5=14,key6=4|user=user1,ip=10.10.10.10,key5=22", raw=split(raw,"|")|mvexpand raw|rename raw as _raw
| rex field=_raw "user=(?<user>[^,]*),ip=(?<ip>[^,]*),(?<keys>[^\n]*)"
| rex field=keys "key\d=(?<k>[^\n|,]*)" max_match=0
| stats sum(k) as key_sum by ip user

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.