https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480606#M193017 <P>hi</P> <P>As you can see below, I am doing a stats with the field "process_name"<BR /> In order to be more comprenhensive, I am doing a rename of this field with a case function<BR /> But in my table, I would like to display this field 2 times : one time with the original name and another time with the name done after the rename<BR /> How I can do this please??</P> <PRE><CODE>| stats values xxxxxx by host process_name | eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield") | rename process_name as "Process name" | table "Process name" </CODE></PRE> Fri, 13 Sep 2019 05:03:20 GMT jip31 2019-09-13T05:03:20Z https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480606#M193017 <P>hi</P> <P>As you can see below, I am doing a stats with the field "process_name"<BR /> In order to be more comprenhensive, I am doing a rename of this field with a case function<BR /> But in my table, I would like to display this field 2 times : one time with the original name and another time with the name done after the rename<BR /> How I can do this please??</P> <PRE><CODE>| stats values xxxxxx by host process_name | eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield") | rename process_name as "Process name" | table "Process name" </CODE></PRE> Fri, 13 Sep 2019 05:03:20 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480606#M193017 jip31 2019-09-13T05:03:20Z https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480607#M193018 <P>Maybe evaluate it to a new field.<BR /> | stats values xxxxxx by host process_name <BR /> | eval "Process name" =case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield")<BR /> | table "Process name" process_name </P> Wed, 30 Sep 2020 02:07:50 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480607#M193018 Melstrathdee 2020-09-30T02:07:50Z https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480608#M193019 <P>no doesnt works</P> Fri, 13 Sep 2019 06:18:07 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480608#M193019 jip31 2019-09-13T06:18:07Z https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480609#M193020 <P>JIP31 check what your case statement, for me it returns an error.<BR /> Without seeing your data I cant be sure I have your syntax right, but maybe try the below.</P> <BLOCKQUOTE> <P>| eval process_name=case(process_name<BR /> like "mfev%",process_name,<BR /> process_name like "mcdatrep",<BR /> process_name,<BR /> process_name=="mcshield",<BR /> process_name) | eval "Process name" =<BR /> process_name | table "Process name"<BR /> process_name</P> </BLOCKQUOTE> Wed, 30 Sep 2020 02:07:53 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480609#M193020 Melstrathdee 2020-09-30T02:07:53Z https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480610#M193021 <P>like this it works thanks!</P> Fri, 13 Sep 2019 07:15:38 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-a-field-two-times-in-a-table-with-the-original/m-p/480610#M193021 jip31 2019-09-13T07:15:38Z