Need help in eval case - nested eval possible ?

Splunk Search

I've created a summary index where it contains 6 eval cases,
for example: eval 1=case(match(something,"a",...."b","c"), eval 2 =case (d,e,f)....eval 6=case(x,y,z)
where a,b,c....x,y,z are the individual detailed functions and 1,2,3,4,5,6 are overall functions.

Now I have combined all eval functions into a single value using eval Total_Function = mvappend(1,2,3,4,5,6).

But I want to list the table with both overall function & individual detailed function as well. But I am not sure how to get individual detail values in the table along with overall function.

Expected table as below:

Time Total_Function Overallfunction Individual function

XX T otal_Function 1 a
YY Total_Function 1 b
ZZ   Total_Function 1 c
AA   Total_Function 6 x
BB    Total_Function 6 y
CC Total_Function 6 z

Kindly help me please.

(Please note, there are multiple individual functions in each eval case)

Get Updates on the Splunk Community!

Need help in eval case - nested eval possible ?

chart

eval

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation

Need help in eval case - nested eval possible ?

chart

eval

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience