https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668295#M229266 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248587">@djoobbani</a>,</P><P>I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand:</P><PRE>| makeresults<BR />| eval source="abc"<BR />| eval msg="consumed"<BR />| eval time_pairs=split("2023-11-09T21:33:05Z,2023-11-09T21:40:05Z|2023-11-09T21:34:05Z,2023-11-09T21:41:05Z|2023-11-09T21:35:05Z,2023-11-09T21:42:05Z", "|")<BR />| mvexpand time_pairs<BR />| eval time_pairs=split(time_pairs, ",")<BR />| eval time_1=mvindex(time_pairs, 0), time_2=mvindex(time_pairs, 1)<BR />| fields - time_pairs</PRE><P>&nbsp;You can also use streamstats count combined with eval case:</P><PRE>| makeresults count=3<BR />| eval source="abc"<BR />| eval msg="consumed"<BR />| streamstats count<BR />| eval time_1=case(count==1, "2023-11-09T21:33:05Z", count==2, "2023-11-09T21:34:05Z", count==3, "2023-11-09T21:35:05Z")<BR />| eval time_2=case(count==1, "2023-11-09T21:40:05Z", count==2, "2023-11-09T21:41:05Z", count==3, "2023-11-09T21:42:05Z")<BR />| fields - count</PRE><P>&nbsp;These are just two examples. You can be as creative as needed.</P> Sat, 11 Nov 2023 01:54:44 GMT tscroggins 2023-11-11T01:54:44Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668287#M229260 <P>Hi there:</P><P>I have the following makeresults query:</P><P><BR />| makeresults count=3<BR />| eval source="abc"<BR />| eval msg="consumed"<BR />| eval time_1="2023-11-09T21:33:05Z"<BR />| eval time_2="2023-11-09T21:40:05Z"<BR /><BR />So i want to create three different events where the values for&nbsp;time_1 &amp;&nbsp;time_2 are different for each event.<BR />How can i do that?</P><P>Thanks!</P> Fri, 10 Nov 2023 23:18:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668287#M229260 djoobbani 2023-11-10T23:18:03Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668295#M229266 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248587">@djoobbani</a>,</P><P>I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand:</P><PRE>| makeresults<BR />| eval source="abc"<BR />| eval msg="consumed"<BR />| eval time_pairs=split("2023-11-09T21:33:05Z,2023-11-09T21:40:05Z|2023-11-09T21:34:05Z,2023-11-09T21:41:05Z|2023-11-09T21:35:05Z,2023-11-09T21:42:05Z", "|")<BR />| mvexpand time_pairs<BR />| eval time_pairs=split(time_pairs, ",")<BR />| eval time_1=mvindex(time_pairs, 0), time_2=mvindex(time_pairs, 1)<BR />| fields - time_pairs</PRE><P>&nbsp;You can also use streamstats count combined with eval case:</P><PRE>| makeresults count=3<BR />| eval source="abc"<BR />| eval msg="consumed"<BR />| streamstats count<BR />| eval time_1=case(count==1, "2023-11-09T21:33:05Z", count==2, "2023-11-09T21:34:05Z", count==3, "2023-11-09T21:35:05Z")<BR />| eval time_2=case(count==1, "2023-11-09T21:40:05Z", count==2, "2023-11-09T21:41:05Z", count==3, "2023-11-09T21:42:05Z")<BR />| fields - count</PRE><P>&nbsp;These are just two examples. You can be as creative as needed.</P> Sat, 11 Nov 2023 01:54:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668295#M229266 tscroggins 2023-11-11T01:54:44Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668300#M229270 <P>Thank you, how would i be able to reduce the result by only displaying the row with the earliest time (time_1 field)?<BR /><BR />Thanks!</P> Sat, 11 Nov 2023 03:49:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668300#M229270 djoobbani 2023-11-11T03:49:09Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668319#M229275 <P>You could just create one event instead of three, or in the example, just return the first event:</P> <LI-CODE lang="markup">| head 1</LI-CODE> <P>If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:</P> <LI-CODE lang="markup">| sort time_1 | head 1</LI-CODE> <P>If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:</P> <LI-CODE lang="markup">| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z") | sort time_1_epoch | head 1</LI-CODE> <P>If multiple events have the same time_1 value, you can use eventstats and where:</P> <LI-CODE lang="markup">| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z") | eventstats min(time_1_epoch) as min_time_1 | where time_1_epoch==min_time_1</LI-CODE> Sat, 11 Nov 2023 16:54:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668319#M229275 tscroggins 2023-11-11T16:54:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668321#M229276 <P>Thank you very much for the solution!</P> Sat, 11 Nov 2023 15:48:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-events-with-different-values-using/m-p/668321#M229276 djoobbani 2023-11-11T15:48:05Z