https://community.splunk.com/t5/Splunk-Search/Create-new-field-by-combining-2-fields-from-same-index/m-p/674714#M230959 <P>Notice that your requested output has more rows than the original input rows. To do this would require some sort of transformation, one way could to use an mvexpand method and would look something like this.</P><LI-CODE lang="markup">&lt;base_search&gt; | eval field3=mvappend(field1, field2) | fields + field3 | mvexpand field3 | sort 0 +field3</LI-CODE><P>You can see in the screenshot that field3 is in your requested format</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1705598621738.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28994i2B254DACE84DFDB7/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1705598621738.png" alt="dtburrows3_0-1705598621738.png" /></span></P><P>Full SPL to replicate</P><LI-CODE lang="markup">| makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time ``` mvexpand method ``` | eval field3=mvappend(field1, field2) | mvexpand field3 | sort 0 +field3</LI-CODE><P><BR />Another method would be append (subsearches can be truncated if you hit any splunk limits)<BR />something like this</P><LI-CODE lang="markup">&lt;base_search&gt; field1=* | eval field3='field1' | fields + field3 | append [ | search &lt;base_search&gt; field2=* | eval field3='field2' | fields + field3 ]</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_1-1705599099873.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28995i018606625F4958C5/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_1-1705599099873.png" alt="dtburrows3_1-1705599099873.png" /></span></P><P>Full SPL to replicate</P><LI-CODE lang="markup">| makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time | search field1=* | eval field3='field1' ``` append method ``` | append [ | makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time | search field2=* | eval field3='field2' ]</LI-CODE><P><BR />I bet there is also a slick way of using appendpipe command to achieve this as well.</P><LI-CODE lang="markup">&lt;base_search&gt; | appendpipe [ | stats values(field2) as field2 ] | eval field3=coalesce(field1, field2) | mvexpand field3</LI-CODE><P>output looks like this</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_2-1705599309233.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28996i0E25EBCDD93DB3B6/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_2-1705599309233.png" alt="dtburrows3_2-1705599309233.png" /></span></P><P>Full SPL to replicate</P><LI-CODE lang="markup">| makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time ``` appendpipe method ``` | appendpipe [ | stats values(field2) as field2 ] | eval field3=coalesce(field1, field2) | mvexpand field3</LI-CODE><P><BR /><BR /></P> Thu, 18 Jan 2024 17:35:42 GMT dtburrows3 2024-01-18T17:35:42Z https://community.splunk.com/t5/Splunk-Search/Create-new-field-by-combining-2-fields-from-same-index/m-p/674708#M230957 <P>I got 2 fields from same splunk index<BR />field1 have rows 1,2,3,4,5 and field2 have rows 10,12<BR />I want new field3 with data from both field1 and field2.</P><P>Please suggest.</P><TABLE border="0" width="192" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="19">field1</TD><TD width="64">&nbsp;</TD><TD width="64">field2</TD></TR><TR><TD height="19">1</TD><TD>&nbsp;</TD><TD>10</TD></TR><TR><TD height="19">2</TD><TD>&nbsp;</TD><TD>12</TD></TR><TR><TD height="19">3</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD height="19">4</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD height="19">5</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><TABLE border="0" width="64" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="19">field3</TD></TR><TR><TD height="19">1</TD></TR><TR><TD height="19">2</TD></TR><TR><TD height="19">3</TD></TR><TR><TD height="19">4</TD></TR><TR><TD height="19">5</TD></TR><TR><TD height="19">10</TD></TR><TR><TD height="19">12</TD></TR></TBODY></TABLE> Thu, 18 Jan 2024 17:15:06 GMT https://community.splunk.com/t5/Splunk-Search/Create-new-field-by-combining-2-fields-from-same-index/m-p/674708#M230957 onthakur 2024-01-18T17:15:06Z https://community.splunk.com/t5/Splunk-Search/Create-new-field-by-combining-2-fields-from-same-index/m-p/674714#M230959 <P>Notice that your requested output has more rows than the original input rows. To do this would require some sort of transformation, one way could to use an mvexpand method and would look something like this.</P><LI-CODE lang="markup">&lt;base_search&gt; | eval field3=mvappend(field1, field2) | fields + field3 | mvexpand field3 | sort 0 +field3</LI-CODE><P>You can see in the screenshot that field3 is in your requested format</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1705598621738.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28994i2B254DACE84DFDB7/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1705598621738.png" alt="dtburrows3_0-1705598621738.png" /></span></P><P>Full SPL to replicate</P><LI-CODE lang="markup">| makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time ``` mvexpand method ``` | eval field3=mvappend(field1, field2) | mvexpand field3 | sort 0 +field3</LI-CODE><P><BR />Another method would be append (subsearches can be truncated if you hit any splunk limits)<BR />something like this</P><LI-CODE lang="markup">&lt;base_search&gt; field1=* | eval field3='field1' | fields + field3 | append [ | search &lt;base_search&gt; field2=* | eval field3='field2' | fields + field3 ]</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_1-1705599099873.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28995i018606625F4958C5/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_1-1705599099873.png" alt="dtburrows3_1-1705599099873.png" /></span></P><P>Full SPL to replicate</P><LI-CODE lang="markup">| makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time | search field1=* | eval field3='field1' ``` append method ``` | append [ | makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time | search field2=* | eval field3='field2' ]</LI-CODE><P><BR />I bet there is also a slick way of using appendpipe command to achieve this as well.</P><LI-CODE lang="markup">&lt;base_search&gt; | appendpipe [ | stats values(field2) as field2 ] | eval field3=coalesce(field1, field2) | mvexpand field3</LI-CODE><P>output looks like this</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_2-1705599309233.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28996i0E25EBCDD93DB3B6/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_2-1705599309233.png" alt="dtburrows3_2-1705599309233.png" /></span></P><P>Full SPL to replicate</P><LI-CODE lang="markup">| makeresults count=5 | streamstats count as field1 | eval field2=case( 'field1'==1, 10, 'field1'==2, 12, True(), null() ) | fields - _time ``` appendpipe method ``` | appendpipe [ | stats values(field2) as field2 ] | eval field3=coalesce(field1, field2) | mvexpand field3</LI-CODE><P><BR /><BR /></P> Thu, 18 Jan 2024 17:35:42 GMT https://community.splunk.com/t5/Splunk-Search/Create-new-field-by-combining-2-fields-from-same-index/m-p/674714#M230959 dtburrows3 2024-01-18T17:35:42Z