@vincentgoh98 @akarivaratharaj  One of the ways I handled this for my Slack notifications from Splunk was to create a field with the required columns and then mvcombine them as a single field value and use this field in the alert.  It will list down items in your slack.  You can try something like this. | makeresults count=20 | eval rand =(random() % 20)+2 | eval field_a="A-"+rand | eval field_b="B-"+rand | stats count by field_a field_b | eval field_ab_count=field_a+" , "+field_b+" , "+count | fields field_ab_count | mvcombine field_ab_count     ~ If the reply helps, an upvote would be appreciated  ... View more

Hi @gcusello ,   Thank you very much for your help ! I am pretty new to Splunk and thus never think of using dc() function. ! It does work for me, and I will mark it as solution. ... View more