topic Re: How to table results with multiple evals? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-table-results-with-multiple-evals/m-p/633818#M220134 <P>I assume that you are saying that if a search has True anywhere, then it's True, otherwise false.</P><P>You could do something like</P><LI-CODE lang="markup">| stats values(*) as * by Search | foreach * [ eval &lt;&lt;FIELD&gt;&gt;=if(isnotnull(mvfind(&lt;&lt;FIELD&gt;&gt;, "True")), "True", "False") ]</LI-CODE><P>but you could also set values to 1 and 0 for True/False and then do</P><LI-CODE lang="markup">| stats max(*) as * by Search | foreach Triggered Scheduled Test [ eval &lt;&lt;FIELD&gt;&gt;=if(&lt;&lt;FIELD&gt;&gt;=1, "True", "False") ]</LI-CODE> Wed, 08 Mar 2023 22:19:06 GMT bowesmana 2023-03-08T22:19:06Z How to table results with multiple evals? https://community.splunk.com/t5/Splunk-Search/How-to-table-results-with-multiple-evals/m-p/633808#M220129 <P>I have a search where I have multiple evals to check if items are true of false. With my results I want to show something like:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="25px">Search</TD> <TD width="25%" height="25px">Triggered</TD> <TD width="25%" height="25px">Scheduled</TD> <TD width="25%" height="25px">Test</TD> </TR> <TR> <TD width="25%" height="40px">TestAlert1</TD> <TD width="25%" height="40px"> <P>True</P> </TD> <TD width="25%" height="40px">True</TD> <TD width="25%" height="40px">True</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Currently what I am getting is something like this:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="25px">Search</TD> <TD width="25%" height="25px">Triggered</TD> <TD width="25%" height="25px">Scheduled</TD> <TD width="25%" height="25px">Test</TD> </TR> <TR> <TD width="25%" height="25px">TestAlert1</TD> <TD width="25%" height="25px">True</TD> <TD width="25%" height="25px">False</TD> <TD width="25%" height="25px">False</TD> </TR> <TR> <TD width="25%" height="25px">TestAlert1</TD> <TD width="25%" height="25px">False</TD> <TD width="25%" height="25px">True</TD> <TD width="25%" height="25px">False</TD> </TR> <TR> <TD width="25%" height="25px">TestAlert1</TD> <TD width="25%" height="25px">False</TD> <TD width="25%" height="25px">False</TD> <TD width="25%" height="25px">True</TD> </TR> </TBODY> </TABLE> <P>I am thinking I need to use xyseries chart but am not sure.</P> Wed, 08 Mar 2023 20:43:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-results-with-multiple-evals/m-p/633808#M220129 aohls 2023-03-08T20:43:55Z Re: How to table results with multiple evals? https://community.splunk.com/t5/Splunk-Search/How-to-table-results-with-multiple-evals/m-p/633818#M220134 <P>I assume that you are saying that if a search has True anywhere, then it's True, otherwise false.</P><P>You could do something like</P><LI-CODE lang="markup">| stats values(*) as * by Search | foreach * [ eval &lt;&lt;FIELD&gt;&gt;=if(isnotnull(mvfind(&lt;&lt;FIELD&gt;&gt;, "True")), "True", "False") ]</LI-CODE><P>but you could also set values to 1 and 0 for True/False and then do</P><LI-CODE lang="markup">| stats max(*) as * by Search | foreach Triggered Scheduled Test [ eval &lt;&lt;FIELD&gt;&gt;=if(&lt;&lt;FIELD&gt;&gt;=1, "True", "False") ]</LI-CODE> Wed, 08 Mar 2023 22:19:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-results-with-multiple-evals/m-p/633818#M220134 bowesmana 2023-03-08T22:19:06Z