https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537106#M467 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/63444">@chinmay25</a>,</P><P>Please try below;</P><LI-CODE lang="markup">index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN | eval Type= case(source=smf014,"Input",source=smf015,"Output",1=1,"Both") | table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 19:48:03 GMT scelikok 2021-01-25T19:48:03Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537081#M465 <P>I am using the following eval command. I want the type column to pick up both the sources.</P><P>index=xyz (source=smf015 OR source=smf014)<BR />| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN<BR />| eval Type= case(source=smf014,Input,source=smf015,Output, (source=smf015 and source=smf014),Both)<BR />| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type</P><P>&nbsp;</P><P>I would appreciate the help.</P> Mon, 25 Jan 2021 19:08:27 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537081#M465 chinmay25 2021-01-25T19:08:27Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537106#M467 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/63444">@chinmay25</a>,</P><P>Please try below;</P><LI-CODE lang="markup">index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN | eval Type= case(source=smf014,"Input",source=smf015,"Output",1=1,"Both") | table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 19:48:03 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537106#M467 scelikok 2021-01-25T19:48:03Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537112#M468 <P>Hi Scelikok,</P><P>&nbsp;</P><P>Thank you for the help. It does work.&nbsp;</P><P>However, I may have defined the problem incorrectly.&nbsp;</P><P>What I expect the Type column to pick up is INPUT in place of SMF014 and OUTPUT in place of SMF015.</P><P>Looking forward to your suggesstion.</P><P>&nbsp;</P><P>Chinmay.</P> Mon, 25 Jan 2021 20:05:24 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537112#M468 chinmay25 2021-01-25T20:05:24Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537122#M469 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/63444">@chinmay25</a>,</P><P>I believed that you want to see "Input" , "Output" or "Both" as text in Type field. The search result must have showing these values. Do you mean Input, Output and Both as another field name? Do you want to see the values of these fields on Type field?</P><P>&nbsp;</P> Mon, 25 Jan 2021 20:47:36 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537122#M469 scelikok 2021-01-25T20:47:36Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537125#M470 <P>Hi Scelikok,</P><P>I want the result table to have the following column for type. It should not have "Both" in it. In place of SMF014 I want Input and In place of SMF015 I want Output in the Type Column.</P><TABLE width="53"><TBODY><TR><TD width="53">Type</TD></TR><TR><TD>Input</TD></TR><TR><TD>Input</TD></TR><TR><TD>Input</TD></TR><TR><TD>Input</TD></TR><TR><TD>Output</TD></TR><TR><TD>Input</TD></TR><TR><TD>Output</TD></TR><TR><TD>Input</TD></TR></TBODY></TABLE> Mon, 25 Jan 2021 21:03:45 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537125#M470 chinmay25 2021-01-25T21:03:45Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537126#M471 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/63444">@chinmay25</a>,</P><P>I got the problem now, it was not supposed to show all as "Both". Please try below;</P><LI-CODE lang="markup">index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN | eval Type=case(source="smf014","Input",source="smf015","Output",1=1,"Both") | table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 21:13:44 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537126#M471 scelikok 2021-01-25T21:13:44Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537128#M472 <P>Hi,</P><P>I tried your latest command with 1=1, "Both". The table still shows Both and not Input or Output.</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">Type</TD></TR><TR><TD width="100%">Both</TD></TR><TR><TD width="100%">Both</TD></TR><TR><TD width="100%">Both</TD></TR></TBODY></TABLE> Mon, 25 Jan 2021 21:18:05 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537128#M472 chinmay25 2021-01-25T21:18:05Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537129#M473 <P>And If i try the if command, i get a blank column.</P> Mon, 25 Jan 2021 21:18:50 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537129#M473 chinmay25 2021-01-25T21:18:50Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537132#M474 <P>Is it possible to be all events are coming from both sources? Can you please show the stats command output before eval?</P><P>&nbsp;</P> Mon, 25 Jan 2021 21:54:21 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537132#M474 scelikok 2021-01-25T21:54:21Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537134#M475 <P>This is the result just after the stats command.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chinmay25_0-1611612377322.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12661iBF642E68F3D0D168/image-size/medium?v=v2&amp;px=400" role="button" title="chinmay25_0-1611612377322.png" alt="chinmay25_0-1611612377322.png" /></span></P><P>&nbsp;</P> Mon, 25 Jan 2021 22:06:12 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537134#M475 chinmay25 2021-01-25T22:06:12Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537144#M476 <P>Ok, source is not exact match to smf014 or smf015. Please try below;</P><LI-CODE lang="markup">index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN | eval Type=case(mvcount(source)&gt;1,"Both",source LIKE "%smf014","Input",source LIKE "%smf015","Output") | table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 23:11:04 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537144#M476 scelikok 2021-01-25T23:11:04Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537237#M477 <P>Hi Scelikok,</P><P>Unfortunately, its still not picking up anything in the Type column.</P><P>The Type column is blank.</P><P>&nbsp;</P><P>Chinmay.</P> Tue, 26 Jan 2021 16:03:40 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537237#M477 chinmay25 2021-01-26T16:03:40Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537245#M478 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/63444">@chinmay25</a>,</P><P>Please try below, I think it is case sensitivity;</P><LI-CODE lang="markup">index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN | eval Type=case(mvcount(source)&gt;1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output") | table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type</LI-CODE> Tue, 26 Jan 2021 16:37:43 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537245#M478 scelikok 2021-01-26T16:37:43Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537260#M479 <P>Thank you. This solution works.</P><P>I had used the append command to make it work, but this is more efficient.</P><P>Regards,</P><P>Chinmay.</P> Tue, 26 Jan 2021 17:33:11 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Help-with-Eval-command/m-p/537260#M479 chinmay25 2021-01-26T17:33:11Z