Lets say I have extracted two fields rstime1 and rstime2. But now, I want to merge the values from these fields to one single field called rs_time . I have the following query, which does correctly what I wanted in search time , but is there a way to do it permanently rather than during search time ?
| eval "rs_time"=coalesce(rs_time1,rs_time2) |stats avg(rs_time) as res_time
assuming Splunk is identifying the fields and that you have not manually extracted them:
[sourcetype] EVAL-rs_time = if(isnotnull('rs_time1'),'rs_time1','rs_time2')
sure it's possible and you already have the right strategy with the
I posted you a link about Calculated Fields that will help you further.
Tell us if you need further assistance.