Yep, exactly right - multi-value fields are those that are in a single event. By definition, when you have more than one event, ... they're just separate values for the field, not multiple values inside one field content. Though you really can combine other events together, with a field being made multi-value too. Oh, now I think I've done it and confused it all back up again. What you are doing is taking events that are otherwise the same, smashing them together on the field that isn't the same, and making that new single event have that one non-same-content field into an mv. Take a look at this: | makeresults count=2
| streamstats count
| eval name = "Myrtle"
| eval occupation = "Haberdasher"
| eval favorite_foods = if(count=1, "Ice Cream", "Pizza") Myrtle the Haberdasher likes both Ice Cream and Pizza. Two events, one for each, sort of like if you flattened a normalized database by doing a join in your select off the "people" and "favorite_foods" tables. If you tried to mvcombine favorite foods, you'll find you can't - and the reason IMO is very enlightening. Here's the non-working try: | makeresults count=2
| streamstats count
| eval name = "Myrtle"
| eval occupation = "Haberdasher"
| eval favorite_foods = if(count=1, "Ice Cream", "Pizza")
| mvcombine delim="," favorite_foods This still leaves you with two events. An that's because not all the fields are the same yet - you'll see I left the streamstats "count" field in there, so that keeps Splunk from putting those events together because it doesn't know what to do about that "other" different field. "Favorite_foods" it could make into an mv, but count? (And unfortunately, you can't mvcombine on two fields at once. Argh, I should check for an idea to make this better... OK there wasn't so I made one, feel free to toss a vote or two onto it https://ideas.splunk.com/ideas/EID-I-595). So if you add in a 'fields - count' it'll now work: | makeresults count=2
| streamstats count
| eval name = "Myrtle"
| eval occupation = "Haberdasher"
| eval favorite_foods = if(count=1, "Ice Cream", "Pizza")
| fields - count
| mvcombine delim="," favorite_foods You'll note I made the two events in an entirely different way than the previous example, using streamstats so I could conditionally make favorite_foods be one of two things. I did this so that we had no MV-style stuff *anywhere* above that mvcombine at the bottom. I figured easier to understand if I didn't already have just used a bunch of mv-stuff to have built the events in the first place only to use mv-stuff to smash it back together, which who knows what tomfoolery I may have done in there? Or to prove that, in the words of a famous moose, that there was "nothing up my sleeve" Lastly, you can accomplish this as well by using stats. | makeresults count=2
| streamstats count
| eval name = "Myrtle"
| eval occupation = "Haberdasher"
| eval favorite_foods = if(count=1, "Ice Cream", "Pizza")
| fields - count
| stats values(favorite_foods) as favorite_foods by name, occupation And in fact, with stats you can totally throw away that "count" field by just ignoring it. | makeresults count=2
| streamstats count
| eval name = "Myrtle"
| eval occupation = "Haberdasher"
| eval favorite_foods = if(count=1, "Ice Cream", "Pizza")
| stats values(favorite_foods) as favorite_foods by name, occupation So, stats has it better in many ways. But the big drawback to stats is that everything you want to include has to be mentioned either in the values() or in the 'by' clause. Which of course, when you need it, the way to mv more than one field is with stats, because you can do multiples. Or even all, like in this example. | makeresults count=2
| streamstats count
| eval name = if(count=1, "Myrtle", "Hyacinth")
| eval occupation = if(count=1, "Haberdasher", "Homemaker")
| eval favorite_foods = if(count=1, "Ice Cream", "Pizza")
| stats values(*) as * Anyhow, happy Splunking, and have fun! -Rich
... View more