If that behaviour only occurs with a particular sourcetype it's probably best to post some sample data along with the configuration for that sourcetype.

Also, it works for me with some other sourcetype. but , the one that i am facing issue is with UDP data.

Also I am extracting SERVICE values using FIELD-EXTRACTOR

I don't think that should be a problem for Splunk. Anyway when i stat the results it shows properly all the values of the SERVICE , but when I do the | sendemail it somehow skips.
Strange behavior.

Even odder 😞 the stats calls are identical except for different field names, so something more sneaky must be going on.

Hi,

I got the results in one row separated with space for the _internal query .

But , i still face the same issue for my search query, it takes only 1 value of the SERVICE , it skips the remaining values.

Odd, the only difference I see is format=html, but that's the default value.

Are you seeing the same issue with the _internal query I posted above?

i am using version 6. I am using the below search query. It doesnt give all the values of SERVICENAME.

index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="xx@x.x" format=html subject=myresults sendresults=true smtp="smtp.xxx.com"

I don't seem to be able to reproduce that... if I do this:

index=_internal | stats values(source) by sourcetype | sendemail to=me@me.me server=myserver subject=mvtest sendresults=true

I get all values of the multivalue field for the sources, just not in two rows like in the Splunk result without sendmail but rather in one row separated by a space:

sourcetype   values(source)
...
splunkd      /opt/splunk/var/log/splunk/metrics.log /opt/splunk/var/log/splunk/splunkd.log
...

Are you doing anything differently? What version are you on?