https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442181#M125583 <P>Hi adonio. Sorry for not such a clear explenation and thank you for your message. I fixed it.<BR /> I created 3 multivalue fields:<BR /> 1. | eval final_time=TestStart .",".TestEnd<BR /> 2. | eval run="1,0"<BR /> 3. | eval wait="0,1"</P> <P>To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".</P> <P>After that I created 3 new fields from the 3 previous multivalue fields</P> <P>| makemv tokenizer="([^,]+),?" final_time<BR /> | makemv tokenizer="([^,]+),?" run<BR /> | makemv tokenizer="([^,]+),?" wait<BR /> | eval new=mvzip(final_time,run)<BR /> | eval neww=mvzip(new,wait)<BR /> | mvexpand neww<BR /> | eval time=substr(neww,1,19)<BR /> | eval run=substr(neww,21,1)<BR /> | eval wait=substr(neww,23,1)<BR /> | table time run wait</P> Wed, 30 Sep 2020 01:04:13 GMT spisiakmi 2020-09-30T01:04:13Z https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442179#M125581 <P>Hi I have such a table in which is described the proces of any TestMachine:<BR /> A B C D<BR /> TestStart TestStatus TestDuration TestEnd<BR /> 11.03.2015 14:54:32 PASS 116 11.03.2015 14:56:28<BR /> 11.03.2015 14:57:10 PASS 116 11.03.2015 14:59:06<BR /> 11.03.2015 14:59:58 PASS 119 11.03.2015 15:01:57<BR /> 11.03.2015 15:03:21 FAIL 66 11.03.2015 15:04:27<BR /> 11.03.2015 15:04:54 PASS 116 11.03.2015 15:06:50<BR /> 11.03.2015 15:10:29 FAIL 185 11.03.2015 15:13:34</P> <P>I need to create a table or chart, where the status of the testmachine will be displayed.<BR /> x axis: time, where will be combined columns A and D<BR /> y axis: such a binari impuls 0 to 1, where the status of the machine will be displayed<BR /> legend (status of the machine): RUN, WAIT<BR /> RUN status: is between A1 and D1<BR /> WAIT status: is between D1 and A2</P> <P>here is an example, what I need: <A href="https://ibb.co/M6bcWnh">https://ibb.co/M6bcWnh</A></P> <P>the events are sorted from the oldiest event</P> <P>Can you help me, please?</P> Wed, 26 Jun 2019 07:24:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442179#M125581 spisiakmi 2019-06-26T07:24:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442180#M125582 <P>can you elaborate a little? <BR /> what does it mean: "x axis: time, where will be combined columns A and D" <BR /> what kind of combination? </P> Wed, 26 Jun 2019 17:20:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442180#M125582 adonio 2019-06-26T17:20:36Z https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442181#M125583 <P>Hi adonio. Sorry for not such a clear explenation and thank you for your message. I fixed it.<BR /> I created 3 multivalue fields:<BR /> 1. | eval final_time=TestStart .",".TestEnd<BR /> 2. | eval run="1,0"<BR /> 3. | eval wait="0,1"</P> <P>To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".</P> <P>After that I created 3 new fields from the 3 previous multivalue fields</P> <P>| makemv tokenizer="([^,]+),?" final_time<BR /> | makemv tokenizer="([^,]+),?" run<BR /> | makemv tokenizer="([^,]+),?" wait<BR /> | eval new=mvzip(final_time,run)<BR /> | eval neww=mvzip(new,wait)<BR /> | mvexpand neww<BR /> | eval time=substr(neww,1,19)<BR /> | eval run=substr(neww,21,1)<BR /> | eval wait=substr(neww,23,1)<BR /> | table time run wait</P> Wed, 30 Sep 2020 01:04:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442181#M125583 spisiakmi 2020-09-30T01:04:13Z https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442182#M125584 <P>I fixed it.<BR /> I created 3 multivalue fields:<BR /> 1. | eval final_time=TestStart .",".TestEnd<BR /> 2. | eval run="1,0"<BR /> 3. | eval wait="0,1"</P> <P>To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".</P> <P>After that I created 3 new fields from the 3 previous multivalue fields</P> <P>| makemv tokenizer="([^,]+),?" final_time<BR /> | makemv tokenizer="([^,]+),?" run<BR /> | makemv tokenizer="([^,]+),?" wait<BR /> | eval new=mvzip(final_time,run)<BR /> | eval neww=mvzip(new,wait)<BR /> | mvexpand neww<BR /> | eval time=substr(neww,1,19)<BR /> | eval run=substr(neww,21,1)<BR /> | eval wait=substr(neww,23,1)<BR /> | table time run wait</P> Wed, 30 Sep 2020 02:05:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-new-field-combined-from-existing-fields/m-p/442182#M125584 spisiakmi 2020-09-30T02:05:49Z