Hello,

we want to combined two fields by using eval inside the tstats where clause search. Please see my search below

| tstats latest(result._time) as _time ,values(result.relational_correlationId) as relational_correlationId,values(result.tracePoint) as tracePoint,values(result.timestamp) as timestamp,values(result.content.businessFields{}.key) as content.businessFields{}.key,values(result.content.businessFields{}.value) as content.businessFields{}.value where index="hec_example1" by result.environment,result.businessGroup,result.appName,result.interfaceName,result.correlationId |rename result.environment as environment,result.businessGroup as businessGroup,result.appName as appName,result.interfaceName as interfaceName,result.correlationId as correlationId| table _time,environment,businessGroup,appName,interfaceName,tracePoint,timestamp,correlationId,content.businessFields{}.key,content.businessFields{}.value

Please help me on this.