Hello!! Thank you for your response! And I'm sorry I explained myself so poorly! spath does not work: What I meant with this was, having the previous event string as an example, I am unable to use SPL queries such as index="my_index" logid="log_id_here" service="service_here" responseMessage="response_message_here" instead I gotta use index="my_index" "log_id_here" "service_here" "response_message_here" or index="my_index" "log_id_here" service logid responseMessage This is because no data is found when using "variables" such as  responseMessage="response_message_here" Instead I must search for specific string fragments within the event outputs... This is because the output is formatted as string instead of json making the SPL query creation a real pain.   What is your query: One example would be to individually get each responseMessage as such:  index="my_index" "log_id_here" logid service responseMessage \\\"responseMessage\\\" : \\\"null\\\" Instead of the normal way which would be index="my_index" logid="log_id_here" service responseMessage | stats count by responseMessage | dedup responseMessage   What results do I expect: Currently I'm trying to get unique services and order them desc based on the error count for each (which is based on the responseMessage) What results do I get: Currently I'm able to get the count of each service by using string literals such as \\\"service\\\" :  \\\"desk\\\" , other than that I'm stuck here. (I'm guessing this could  be done with something like  index="my_index" "logid" | stats count by service, responseMessage | eval isError=if(responseMessage!="success",1 ,0) | stats sum(isError) as errorCount by service I apologize in advance in case I've missed once again important details or if i've given wrong queries, I haven't been able to try them out as the documentation shows :C thank you very much for your time!!

Hey there! I think you should be all set now (please let me know if not) but I wanted to respond here in case anyone comes across this in the future. We did have an issue that week with the developer license request system, which has now been addressed. This was complicated by the US holiday that week, which is the reason for the delayed response to your email as well. In general, reaching out to devinfo@splunk.com is the right course of action. If you're not getting a response there (sometimes that ends up being a spam filter issue), you can also reach out in the #appdev channel on the Splunk usergroup slack for assistance.

Thank you for your answer, it helped me out. The final version was a bit more trickier as in the ips field can be an "*" instead of any listed values and in that case any of the found values should be considered. So this was the final solution:   | makeresults | eval ips="a,c,x" ```| eval ips="*"``` | eval ips=replace(ips, "\*", "%") | map [ | makeresults | append [ makeresults | eval ips="a", label="aaa" ] | append [ makeresults | eval ips="b", label="bbb" ] | append [ makeresults | eval ips="c", label="ccc" ] | append [ makeresults | eval ips="d", label="ddd" ] | eval outer_ips=split("$ips$", ",") | where (ips=outer_ips OR LIKE(ips, "$ips$")) ```with the above conditon when only a * (%) is there as a value it will catch it with the LIKE. when some other value then the first condition will catch the proper events)``` ] maxsearches=10