Maybe you need a sum(count) rather than a list(count)?  I'm not sure what the overall goal is so sorry for the piece meal answers.  ... View more

If I understand you correctly, try using values(action) rather than list(action) ... View more

Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data? For the first you would add a field extraction in your props.conf file. https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf For the second you would use the rex command as suggested.   https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with.  Here is an example of what might work if all of your logs had the command at the end of the line: | rex field=_raw “(?<command>[\w]+\s[-\w]*)$” The above regex is not perfect.  You'll have to account for a command with and without arguments.  The above regex isn't perfect if your command doesn't have -xyz arguments.   ... View more