Luckily each test segment is delimited by comma.  You can use that to break the raw input into individual events, like this: | eval data = split(_raw, ",") | mvexpand data | rename data AS _raw | extract Ultimately, though, your developer should consider breaking the events in raw logs. Below is data emulation you can play with and compare with your real data. | makeresults | eval _raw = "code =test1 description=test1 description status = pending,code =test2 description=test2 description status = COMPLTED, code =test3 description=test3 description status = COMPLETED_FIRST,code =test2 description=test2 description status = COMPLTE." ``` data emulation above ```   ... View more

The above  query worked some how buy adding one more default value in the field called status Code.Not sure what is the concept behind that.Anyway  Thanks @ITWhisperer  ... View more

@ITWhisperer  I  got expected result by ServiceName != <value_to_be_added> in the last of SPL query. Thank you for your response. ... View more