https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580112#M202140 <LI-CODE lang="markup">| eval FS_Owner_Mail=FS_Owner."_".Mail</LI-CODE> Thu, 06 Jan 2022 11:45:44 GMT ITWhisperer 2022-01-06T11:45:44Z https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580107#M202138 <P>Hi,&nbsp;</P><P>Wondering if anyone can help.&nbsp;</P><P>I am trying to create a new field called FS_Owner_Mail using |eval from both the mail and FS_Owner existing fields but not too sure how to work it into the below search.</P><P>&nbsp;</P><P>index=varonis sourcetype=xxx:varonis:csv:reports<BR />| eval User_Group=replace(replace('User_Group',"xxxxl\\\\","")," ","")<BR />| join type=left User_Group<BR />[ search index=ad source=xxx_adgroupmemberscan memberSamAccountName="*_xxx" earliest=-48h<BR />| dedup groupSamAccountName, memberSamAccountName<BR />| rename groupSamAccountName as User_Group, memberSamAccountName as Member<BR />| join type=left Member<BR />[ search index=ad source="xxx_aduserscan" samAccountName="*_xxx"<BR />| dedup samAccountName<BR />| rename samAccountName as Member<BR />| table Member, displayName, mail]<BR />| stats values(Member) as Member, values(displayName) as DisplayName, values(mail) as Mail by User_Group<BR />| eval User_Group=replace(replace('User_Group',"_xxx","")," ","")]<BR />| table Access_Path Current_Permissions, DisplayName, FS_Owner, Flags, Inherited_From_Folders, Mail, Member, User_Group</P> Thu, 06 Jan 2022 10:56:48 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580107#M202138 emcglade 2022-01-06T10:56:48Z https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580112#M202140 <LI-CODE lang="markup">| eval FS_Owner_Mail=FS_Owner."_".Mail</LI-CODE> Thu, 06 Jan 2022 11:45:44 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580112#M202140 ITWhisperer 2022-01-06T11:45:44Z https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580113#M202141 <P>Thank you, looks great!</P><P>can you explain the logic and where it would best be in the search?&nbsp;</P> Thu, 06 Jan 2022 12:08:11 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580113#M202141 emcglade 2022-01-06T12:08:11Z https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580116#M202143 <P>At the end when you have values for FS_Owner and Mail?</P> Thu, 06 Jan 2022 12:35:00 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580116#M202143 ITWhisperer 2022-01-06T12:35:00Z https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580122#M202144 <P>Perfect looks really good!</P> Thu, 06 Jan 2022 13:01:08 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-new-field-from-another-field/m-p/580122#M202144 emcglade 2022-01-06T13:01:08Z