Give this a try. It , combines all foo.foo_* field values, concatenated by space, into field foo . If you want different delimiter, just update the 2nd expression in foreach-eval. your current search with all foo.foo_* fields | eval foo="" | foreach foo.foo_* [ eval foo=if(foo="",'<<FIELD>>',foo." ".'<<FIELD>>'] ... View more

Hi DanielWick, I think the rex syntax in your search is incorrect. rex field=_raw "SessionID:[(?.*)];" If you want to extract session id from your raw events and assign the values to a field you should supply in the regex capture group. For example, if your new field is sid, use the following search: sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?<sid>.*)\];" | dedup sid | table sid For details about the rex command, please refer to: http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex In your search below, you simply retrieved all the events with "S1" in the raw data, not with field sid="S1". sourcetype="ta" index="p_r" "ReasonCode" "S1" Also, please note that subsearch is not without its limitations. Subsearches are limited by both time and event count: • Default time limit = 60 seconds – If the subsearch continues to run after this time, it is finalized –Only the events found during that time are returned to the outer search • Default results limit = 10,000 – After 10,499 entries, the results are truncated (partial result set) Hope this helps.Thanks! Hunter ... View more