You could try replacing every special character with a backslash followed by that character. In the following example, the token used in the title is set when the field is clicked. The token value is the contents of the second multi-value in the field, which has been hidden using CSS. (I tried using the replace in the token evaluation directly but it only seems to work on a field not a string.) <panel depends="$alwayshide$"> <html> <style> #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] { display: none; } </style> </html> </panel> <panel id="escaped"> <table> <title>$escaped$</title> <search> <query>| makeresults | fields - _time | eval param="!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]" | eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <eval token="escaped">mvindex($click.value$,1)</eval> </drilldown> </table> </panel>  

I am attaching the output and the entire search query -   The count for source (src=retailautonomyfileage) is coming as 18 instead of 6 only because it is counting all the 3 Fnames at once.  This can come in 3 separate counts for 3 Fnames. Search query- index="idx-stores-misc" source="C:\\TJXLogs\\Verify\\SQLLogs\\*" sourcetype="Store:SQLLogs:json" host=stp* (host="*.stp.local" OR host="*.tjxcorp.net") NOT host="stp-675*" | rex field=host "^(?<Device>[^\.]+)\.(?<Domain>.*)$" | rex field=source "SQLLogs.(?<src>\D+)_" | rex field=message "job.(?<message>\w+)." | lookup Stores_Inventory Device OUTPUT DeviceType Store Chain StoreNum | where DeviceType="SQL" AND NOT src="sqlserveruptime" AND NOT src="ordertracking" | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain | eval Status=if(Down=count AND count>0, "0", "1")    

Is Fname is a multivalue field having 3 values : mdmdat, omsdat and promodat. The problem is in this line - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) It is giving the count of src incorrect, it is reading all the 3 fnames as one. I am trying to break them in 3 conditions using Fname so that it counts the individual Fname at once. eg. (src="retailautonomyfileage" AND Fname="mdmdat" AND Age>240) lly for other 2 Fnames.   Hope I am able to explain.  

Hi @man03359 , let me understand: the Fname field is a single value or a multivalue field, before the stats command? If it's a multivalue, you have to separate them using "mvexpand" command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MvexpandCommandOverview#:~:text=The%20mvexpand%20command%20creates%20individual,productId%20which%20has%20multiple%20values.). If it's a single value field there isn't no reasong to have the described behaviour. Anyway, (I cannot test but it should work), if it's a single value field, you could try to use separated evals: | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")),"Down",""), (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down",""), (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down",""), (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain Ciao. Giuseppe

Hi @Kingsly007, Anyway, it's still not clear what you mean with "Dynamic"? if you have comma divided values, the number of them isn't relevant. Could you share a sample of your logs? Ciao. Giuseppe

Hi @Mostafa3081, let me understand: you want to extract a part of a field in a summary index, is it correct? If this is your requirement and if you can, the easiest way is to save the field to extract in the summary generating search. Anyway, you can extract the part of the "text" field using a rex command: | rex field=text "href\=\\\"(?<url>[^ ]*)" that you can test at https://regex101.com/r/6jptux/1 Ciao. Giuseppe