Hi @Deepak.Paste, Feel free to reach out to @Cansel.OZCAN  privately if you wish. I would not share emails on public threads. If you want to share private info, use the Private Message feature How do I send a Private Message?   @Deepak.Paste - you can also get in touch with AppD Support. How do I submit a Support ticket? An FAQ 

OK. So it's not that the "index" merges the values. It's the collect command that sometimes can work funny on them. See https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Collect#Change_how_collect_summarizes_multivalue_fields

Yes, I expect they are formatted the same.. CompanyA CompanyA  are merged into a single row instead of a separate row, so when I used stats value on summary index, it will not consider CompanyA as 1 unique value, but instead "CompanyA CompanyA CompanyA" is one unique value. Thanks See below.   

Hello @ITWhisperer @PickleRick , Maybe I don't explain it clearly. I am confused on why you need to know how I constructed the search I don't think it matters because the summary index derived from the same source of commands I attached the picture below. I hope that explains.  Thank you

The collect command (assuming that is what you are using to populate your summary index), merely puts the events from the pipeline into your index. What @PickleRick is driving at is that it is how you construct your search prior to the collect command that determines how the events look in the summary index. Perhaps you could share an anonymised version of your search SPL (preferably in a code block </>), so we can suggest changes prior to the collect command.

Perhaps I think you don't understand my question. I put an example very specific on my original post. I do understand the data and how it got here because I was the one that created the summary index, but I could not post company's data in here, so everything is just imaginary fields.   So, the point is after summary index, the data does not change, but it got merged into one line Can you provide an example what you meant? Thanks

It seems like you've successfully integrated Meraki with Splunk.  Interpreting the data is another matter and probably calls for Meraki documentation (perhaps this will get you started https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Event_Log). FTR, Splunk recommends NOT using a Splunk instance as a syslog server as data will be lost when the instance restarts.  Splunk recommends using a dedicated syslog server such as syslog-ng, rsyslog, or Splunk Connect for Syslog.

I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command. Usage: substr(<str>,<start>,<length>) In your case: | eval n=substr("your_string", 1, 3) 

Hello, What do you mean I have to seek there for answers?   As I mentioned in the example, the index summary does not change the data, but it merged data into one row companyA companyA to Company A company A Here's my original questions: 1) How do I make summary index put multiple values into separate lines like on a regular index? 2) When I use stats values command, should it return unique values? Thank you for your help