Notice that your requested output has more rows than the original input rows. To do this would require some sort of transformation, one way could to use an mvexpand method and would look something like this.
<base_search>
| eval
field3=mvappend(field1, field2)
| fields + field3
| mvexpand field3
| sort 0 +field3You can see in the screenshot that field3 is in your requested format
Full SPL to replicate
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
``` mvexpand method ```
| eval
field3=mvappend(field1, field2)
| mvexpand field3
| sort 0 +field3
Another method would be append (subsearches can be truncated if you hit any splunk limits)
something like this
<base_search> field1=*
| eval
field3='field1'
| fields + field3
| append
[
| search <base_search> field2=*
| eval
field3='field2'
| fields + field3
]
Full SPL to replicate
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
| search field1=*
| eval
field3='field1'
``` append method ```
| append
[
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
| search field2=*
| eval
field3='field2'
]
I bet there is also a slick way of using appendpipe command to achieve this as well.
<base_search>
| appendpipe
[
| stats
values(field2) as field2
]
| eval
field3=coalesce(field1, field2)
| mvexpand field3output looks like this
Full SPL to replicate
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
``` appendpipe method ```
| appendpipe
[
| stats
values(field2) as field2
]
| eval
field3=coalesce(field1, field2)
| mvexpand field3
