Config as provided in the comments looks fine, but if those fields are not together in 1 event, there is no way this will work using calculated fields. You will need to write a search query that combines the related events somehow, to get that information together.
If you need help with that, I suggest you create a new question, with proper detailed explanation of what you are trying to achieve.
If by "combine" you mean concatenate then you use the concatenation operator within an
... | eval D = A . B . C
will create a field 'D' containing the values from fields A, B, C strung together (D=ABC). You can add text between the elements if you like:
... | eval D = A . "+" . B . "=" . C
See my answer below, and stop just kicking your question without adding any new information. As explained: what you want is impossible with calculated fields. You cannot combine fields from 2 separate events like that.
Thanks for your reply, I have tried that like eval report=A . "-" .B
It is working and behaving report as a new field but we can't run the SPL query every time.. So I'm planing to create a new field which combines the two fields which I have created and working successfully.....
When I run the SPL Query, eval repor= duration. "-" .action it combines these two fields...
So they can see how much time was taken to complete the action... is there a way to add two fields and make them as third field???
Yes, just define a calculated field with that same eval expression in it.
In the GUI under Settings -> Fields -> Calculated Fields. Or directly in props.conf under the respective sourcetype:
EVAL-report = A . "-" .B
I have given name
Eval Expresion = EVAL-report = timeendpos. "-" .timestartpos
then it gave this error: Encountered the following error while trying to save: In handler 'props-eval': Operator types incompatible
Can you also open the calculated fields to see how you configured it?
Also: from what I can see from your search screenshot, the 2 events with an MTP value do not have a Duration value. So then of course the calculation fails.
Here Duration and MTP both are completely different eachother..
my query is to merge these two fields by creating new field...
here MTP means action and Duration means time..
if I merge these fields, the client will get know "ACtion completed by 55 sec" by clicking on single field....