https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554600#M157410 <P>Since</P><LI-CODE lang="markup">index=hashstore a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc" OR b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc" OR c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc" OR d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"</LI-CODE><P>can be written as</P><LI-CODE lang="markup">index=hashstore a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc" OR b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc" OR c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc" OR d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"</LI-CODE><P>your search can be something like</P><LI-CODE lang="markup">index=hashstore [| makeresults | eval hash=split("abcd","") | mvexpand hash | eval hash=hash.".hash" | eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",") | mvexpand value | eval {hash}=value | fields - _time hash value]</LI-CODE> Sun, 06 Jun 2021 08:09:08 GMT ITWhisperer 2021-06-06T08:09:08Z https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554599#M157409 <P><BR />I am providing data from one input in the dashboard, and want to search provided input strings in different fields which may include provided inputs. all the fields can contain same data format if they are not empty.&nbsp;<BR /><BR />I am using the following search, but not working.</P><P><STRONG>Note:</STRONG> provided input can be single values as well.</P><P><STRONG><U>Expected result:</U></STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">index=hashstore a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc" OR b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc" OR c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc" OR d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"</LI-CODE><P>&nbsp;</P><P><BR /><U><STRONG>CURRENT SEARCH</STRONG></U> -- not giving the expected result.</P><P>&nbsp;</P><LI-CODE lang="markup">index=hashstore [| makeresults | rename a.hash{} as hash | eval a.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval a.hash=split(a.hash,",") | mvexpand a.hash | append [| makeresults | rename b.hash{} as b.hash | eval b.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval b.hash=split(b.hash,",") | mvexpand b.hash ] | append [| makeresults | rename c.hash{} as c.hash | eval c.hash ="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval c.hash =split(c.hash ,",") | mvexpand c.hash ] | append [| makeresults | rename d.hash{} as d.hash | eval d.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval d.hash=split(d.hash,",") | mvexpand d.hash ] | table a.hash, b.hash, c.hash, d.hash ]</LI-CODE><P>&nbsp;</P><P>Thanks,</P> Sun, 06 Jun 2021 07:47:09 GMT https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554599#M157409 splunkerer 2021-06-06T07:47:09Z https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554600#M157410 <P>Since</P><LI-CODE lang="markup">index=hashstore a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc" OR b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc" OR c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc" OR d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"</LI-CODE><P>can be written as</P><LI-CODE lang="markup">index=hashstore a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc" OR b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc" OR c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc" OR d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"</LI-CODE><P>your search can be something like</P><LI-CODE lang="markup">index=hashstore [| makeresults | eval hash=split("abcd","") | mvexpand hash | eval hash=hash.".hash" | eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",") | mvexpand value | eval {hash}=value | fields - _time hash value]</LI-CODE> Sun, 06 Jun 2021 08:09:08 GMT https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554600#M157410 ITWhisperer 2021-06-06T08:09:08Z https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554601#M157411 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>Thanks for solution, this is working fine, but the issue is my original field names are ending with {}. I forget to mention it, original search should be like below.&nbsp;</P><P>How can I get this result?&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=hashstore a.hash{}="aaaaaaaaa" OR a.hash{}="bbbbbbbbbb" OR a.hash{}="ccccccccccc" OR b.hash{}="aaaaaaaaa" OR b.hash{}="bbbbbbbbbb" OR b.hash{}="ccccccccccc" OR c.hash{}="aaaaaaaaa" OR c.hash{}="bbbbbbbbbb" OR c.hash{}="ccccccccccc" OR d.hash{}="aaaaaaaaa" OR d.hash{}="bbbbbbbbbb" OR d.hash{}="ccccccccccc"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Sun, 06 Jun 2021 14:31:32 GMT https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554601#M157411 splunkerer 2021-06-06T14:31:32Z https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554602#M157412 <LI-CODE lang="markup">index=hashstore [| makeresults | eval hash=split("abcd","") | mvexpand hash | eval hash=hash.".hash" | eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",") | mvexpand value | eval {hash}=value | fields - _time hash value | rename * as *{}]</LI-CODE> Sun, 06 Jun 2021 15:18:05 GMT https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554602#M157412 ITWhisperer 2021-06-06T15:18:05Z https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554726#M157450 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; you are the best!&nbsp;</P> Mon, 07 Jun 2021 16:30:24 GMT https://community.splunk.com/t5/Splunk-Search/Combining-appending-multiple-makeresults/m-p/554726#M157450 splunkerer 2021-06-07T16:30:24Z