topic How to create couple of values in order to compare both field value in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-create-couple-of-values-in-order-to-compare-both-field/m-p/536450#M151679 <P>Hi,&nbsp;</P><P>Here is my raw data :&nbsp;</P><LI-CODE lang="markup">ID, Version, Date, Status 10874381,1,2020-01-15T08:36:00Z,New 10874381,1,2020-01-15T08:46:00Z,Completed - Action Performed 14688643,1,2016-10-06T06:30:00Z,New 14688643,1,2016-10-07T08:32:00Z,Investigating 14688643,1,2016-10-24T15:10:00Z,Completed - Nothing Found</LI-CODE><P>I need to create another field for adding informations to this data. To do that i need to create couple of data.&nbsp;</P><LI-CODE lang="markup">Record Number | Status 1 | Status 2 | Result 10874384 | New | Completed - Action Perfomed | Completed Actions 14688643 | New | Investigating | Work 14688643 | Investigating| Completed - Nothing Found | Completed</LI-CODE><P>I can not know in advance how many status could be by id (maybe 1, 2, 7 or more).</P><P>I do not know how to create couple with two different event in splunk.&nbsp;</P><P>Regards,</P><P>Clement</P> Wed, 20 Jan 2021 08:50:51 GMT cros 2021-01-20T08:50:51Z How to create couple of values in order to compare both field value https://community.splunk.com/t5/Splunk-Search/How-to-create-couple-of-values-in-order-to-compare-both-field/m-p/536450#M151679 <P>Hi,&nbsp;</P><P>Here is my raw data :&nbsp;</P><LI-CODE lang="markup">ID, Version, Date, Status 10874381,1,2020-01-15T08:36:00Z,New 10874381,1,2020-01-15T08:46:00Z,Completed - Action Performed 14688643,1,2016-10-06T06:30:00Z,New 14688643,1,2016-10-07T08:32:00Z,Investigating 14688643,1,2016-10-24T15:10:00Z,Completed - Nothing Found</LI-CODE><P>I need to create another field for adding informations to this data. To do that i need to create couple of data.&nbsp;</P><LI-CODE lang="markup">Record Number | Status 1 | Status 2 | Result 10874384 | New | Completed - Action Perfomed | Completed Actions 14688643 | New | Investigating | Work 14688643 | Investigating| Completed - Nothing Found | Completed</LI-CODE><P>I can not know in advance how many status could be by id (maybe 1, 2, 7 or more).</P><P>I do not know how to create couple with two different event in splunk.&nbsp;</P><P>Regards,</P><P>Clement</P> Wed, 20 Jan 2021 08:50:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-couple-of-values-in-order-to-compare-both-field/m-p/536450#M151679 cros 2021-01-20T08:50:51Z Re: How to create couple of values in order to compare both field value https://community.splunk.com/t5/Splunk-Search/How-to-create-couple-of-values-in-order-to-compare-both-field/m-p/536472#M151683 <LI-CODE lang="markup">index=_internal | head 1 | fields _raw | eval _raw="ID, Version, Date, Status 10874381,1,2020-01-15T08:36:00Z,New 10874381,1,2020-01-15T08:46:00Z,Completed - Action Performed 14688643,1,2016-10-06T06:30:00Z,New 14688643,1,2016-10-07T08:32:00Z,Investigating 14688643,1,2016-10-24T15:10:00Z,Completed - Nothing Found" | multikv forceheader=1 | table ID, Version, Date, Status | rename COMMENT as "the logic" | streamstats window=2 list(Status) as tmp_status by ID | where mvcount(tmp_status) &gt; 1 | eval Status_1=mvindex(tmp_status,0),Status_2=mvindex(tmp_status,1) | rex field=Status_2 "(?&lt;Result&gt;Completed)" | eval Result=if(isnull(Result),"Work",Result) | table ID Status_* Result | rename ID as Record_number</LI-CODE> Wed, 20 Jan 2021 11:11:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-couple-of-values-in-order-to-compare-both-field/m-p/536472#M151683 to4kawa 2021-01-20T11:11:51Z