Thanks for the reply. The reason we went with stats is so that we can group by error type. Not sure if the same can be done with table commands. With the table approach, essentially what we are looking for is : We create a table with 2 rows, so we get 2 alerts. But each row has sub rows with the fields extracted from the events. The reason is so we can track which user at what time and what API etc This also looks complicated, could you kindly point out if I am on the right direction? ... View more

In that case, I do have another hypothesis.  Is it possible that your source type uses both index-time extraction of JSON structure (INDEXED_EXTRACTIONS=JSON) and search time automatic extraction (KV_MODE=JSON)?  A field can not only be multivalued and have several different  values per event, but also be multivalued with identical values. If every event has properties.path populated, this faux multivalue condition can most easily identified by looking at the fields column in smart mode or verbose mode.  You will see that properties.path is populated in 200% of events. (As opposed to 100%.)  If the fields is sparsely populated, you will need something like base search properties.path=* Hope this helps. I remember reading warnings about KV_MODE and INDEX_EXTRACTIONS in Splunk docs, but cannot find examples in a quick search. ... View more

This is working, thank you! ... View more

this single quote solution works well. thank you. It would be helpful if you guys can add an example in the document, thanks! https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace#Syntax ... View more