Solved: How to use delim with stats?

adityainamdar89 · ‎06-30-2014

How to use delim with stats? Multivalued fields generated after using list() in stats is resulting in space-separated values to be emailed to me in a scheduled search rather than them appearing on a new line. Will delim be helpful? If not, is there any other way?

adityainamdar89 · ‎07-01-2014

I found this solution to my problem:

| stats delim=":" list(XYZ) as XYZ BY CRITERIA
| rex mode=sed field=XYZ "s/:/\n/g"

This gives you the results on new lines in the table emailed from splunk.

View solution in original post

adityainamdar89 · ‎07-01-2014

Thanks..I figured out the solution 🙂

adityainamdar89 · ‎07-01-2014

I found this solution to my problem:

| stats delim=":" list(XYZ) as XYZ BY CRITERIA
| rex mode=sed field=XYZ "s/:/\n/g"

This gives you the results on new lines in the table emailed from splunk.

ppablo · ‎07-01-2014

Glad you found a solution @adityainamdar89 🙂 Be sure to accept your answer (clicking on the check mark to the left of this answer) so other users with similar issues will look to this post for help. You also get some karma points too!

martin_mueller · ‎07-01-2014

You can for example set delim=";" and your values will be separated by a semicolon... however, I haven't gotten a newline to work.

How to use delim with stats?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!