https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/506362#M141673 <P>Okay, look at what happens when you do these commands</P><P>&nbsp;</P><LI-CODE lang="css">| makeresults | eval myfield1=mvappend("a","b","c") | eval myfield2=mvjoin(myfield1,"!!!!") | eval myfield3=makemv(myfield2,"!!!!") </LI-CODE><P>&nbsp;and then this command</P><LI-CODE lang="css">| mvexpand myfield3</LI-CODE> Fri, 26 Jun 2020 21:33:43 GMT DalJeanis 2020-06-26T21:33:43Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/505656#M141365 <P class="lia-align-left">Hi Splunk Experts</P><P class="lia-align-left">I've created a summary index where it contains 6 eval cases, for example:</P><P class="lia-align-left">eval 1=case(match(something,"a",...."b","c"), eval 2 =case (d,e,f)....eval 6=case(x,y,z)&nbsp;</P><P class="lia-align-left">where a,b,c....x,y,z are the individual detailed functions &amp; 1,2,3,,4,5,6 as overall functions. Now I have combined all eval functions into a single value using eval Total_Function = mvappend(1,2,3,4,5,6).</P><P class="lia-align-left">But I want to list the table with both overall function &amp; individual detailed function as well. But I am not sure how to get individual detail values in the table along with overall function.</P><P class="lia-align-left">Expected table as below:</P><P class="lia-align-left">Time Total_Function&nbsp; &nbsp; &nbsp; Overallfunction Individual function</P><P class="lia-align-left">XX&nbsp; &nbsp; &nbsp;T otal_Function&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;a<BR />YY&nbsp; &nbsp; &nbsp; &nbsp;Total_Function&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;b<BR />ZZ&nbsp;&nbsp; &nbsp; &nbsp; Total_Function&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;c<BR />AA&nbsp;&nbsp; &nbsp; &nbsp; Total_Function&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;x<BR />BB&nbsp; &nbsp;&nbsp; &nbsp; Total_Function&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;y<BR />CC&nbsp; &nbsp; &nbsp; Total_Function&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;z&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</P><P class="lia-align-left">Kindly help me please.<BR /><BR />(Please note, there are multiple individual functions in each eval case)</P><P class="lia-align-left">&nbsp;</P> Tue, 23 Jun 2020 06:26:20 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/505656#M141365 gopiven 2020-06-23T06:26:20Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/505808#M141428 <P>A summary index can contain literally any number of columns.&nbsp; Just output the record with one column for each item you want to report.&nbsp;&nbsp;</P><P>So, if an event had values for functions a, c r and t, and the Overall function was 1, then it might look like&nbsp;</P><P>&nbsp;</P><LI-CODE lang="css">(time) total_function=23, overall=1, a=12, c=7, r=0, t=15</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>or, if I misunderstood your meaning, maybe it might be&nbsp;</P><P>&nbsp;</P><LI-CODE lang="css">(time) total_function=23 overall="1;3" detail="a;c;r;t"</LI-CODE><P>&nbsp;</P><P>or<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="css">(time) total_function=23 overall="1;3" detail="a=12;c=7;r=0;t=15"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The next record does not have to have all the same fields.</P><P>&nbsp;</P> Tue, 23 Jun 2020 18:44:31 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/505808#M141428 DalJeanis 2020-06-23T18:44:31Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/505855#M141484 <P>Thanks for the reply. I guess you misunderstood the Question.<BR />I am looking to segregate the individual fields which are already appended through mvappend command.<BR /><BR /></P><P>mvappend(1,2,3,4,5,6)<BR />1,2,3,4,5,6 are the eval function cases with values a,b....x,y,z(these values are calculated based on match criteria)<BR /><BR />Hence want to table the data as mentioned in the initial question.</P> Wed, 24 Jun 2020 01:19:44 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/505855#M141484 gopiven 2020-06-24T01:19:44Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/506362#M141673 <P>Okay, look at what happens when you do these commands</P><P>&nbsp;</P><LI-CODE lang="css">| makeresults | eval myfield1=mvappend("a","b","c") | eval myfield2=mvjoin(myfield1,"!!!!") | eval myfield3=makemv(myfield2,"!!!!") </LI-CODE><P>&nbsp;and then this command</P><LI-CODE lang="css">| mvexpand myfield3</LI-CODE> Fri, 26 Jun 2020 21:33:43 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-Eval-Issue-Need-both-combined-amp-segregated-data/m-p/506362#M141673 DalJeanis 2020-06-26T21:33:43Z