I am trying create some new logging formats for some new data and I want to ensure it Splunk friendly, so I can do a lot of reporting on the data. The data is basic eCommerce information, such as a single order number and many item details. The problem is when I have multiple items for one order such as,

order item   item quantity   item description
123   1       5              pencil
      2       3              dog food

I can't get all of the values for each category, no matter the logging format that i try such as a table format to use the multikv command. multi

order Amount Delivery    Billing_Email    Trans_date       Item_number Item_description Item_price Item quantity
1005   500.78 ShiptoStore test1@email.com 08/12/13 04:33PM  1           Pencils          1          1
                                                            2           Paper            1.5        2
                                                            3           Dog food         10         2

or different variations of key value pairs such as Version1

txnIds=10010, score=10001, amount=57.59, delivery=ShiptoStore,bililng_email=test@email.com, trans_date="08/12/13 02:30PM", item_number="1,2,3", item_description="pencils,paper,"dog food"", item_price="1.20,1.50,10.00", item_quantity="1,2,2"

or Version2

txnIds=10011, amount=57.59, delivery=ShiptoStore, bililng_email=test@email.com, trans_date="08/12/13 02:30PM", item_number=1, item_description=pencils, item_price=1.20, item_quantity=1, item_number=2, item_description=cups, item_price=5.20, item_quantity=5, item_number=3, item_description=shampoo, item_price=7.40, item_quantity=1,

Version1 works fine except that i would need additional regex to split all of the items in each pair and that might put things out of order if i wanted to compare items and price. Version2 creates the fields but only displays the first value, example item_number would only display the number 1 not 1, 2, 3.

Any tips or tricks would be appreciated.

Regards