Hi @kyi
You sure can. Something like this run anywhere example
| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
``` above creates dummy events and is not needed ```
``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName
Hope it helps
