https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307018#M163616 <P>hey @leonheart78</P> <P>I think the better way is to do with lookups.</P> <P><STRONG>step 1</STRONG> : Create a lookup table say <CODE>mylookup.csv</CODE> with columns <CODE>Tag</CODE> and <CODE>Description</CODE><BR /> Tag | Description<BR /> R0001 | Batch No<BR /> R0002 | Year<BR /> R0003 | Month<BR /> R0004 | Day<BR /> R0005 | Volume A <BR /> R0006 | Volume B<BR /> R0007 | Volume C<BR /> R0008 | Total Mixed<BR /> R0009 | Result (0 = OK, 1 = Not OK)</P> <P><STRONG>Step 2</STRONG> : After creating a lookup table, add the lookup table into Splunk.<BR /> Follow this doc to add <CODE>mylookup.csv</CODE> <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/PivotTutorial/AddlookupfilestoSplunk">https://docs.splunk.com/Documentation/Splunk/7.0.1/PivotTutorial/AddlookupfilestoSplunk</A></P> <P><STRONG>Step 3</STRONG> : then write this query on the search head</P> <PRE><CODE>| lookup mylookup.csv Tag OUTPUT Description | stats count by Tag Value | eval Description=case(Value=0 AND Description="Result","OK",Value=1 AND Description="Result","NOT OK",1=1,Description) </CODE></PRE> <P>I hope this helps you!</P> Tue, 16 Jan 2018 07:11:24 GMT mayurr98 2018-01-16T07:11:24Z https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307014#M163612 <P>I’m currently working with some production line data, where each tag value represent a field. Example like below:</P> <P>Tag | Value<BR /> R0001 | 1 -&gt; Batch No<BR /> R0002 | 2018 -&gt; Year<BR /> R0003 | 1 -&gt; Month<BR /> R0004 | 22 -&gt; Day<BR /> R0005 | 5040 -&gt; Volume A <BR /> R0006 | 446 -&gt; Volume B<BR /> R0007 | 189 -&gt; Volume C<BR /> R0008 | 1099 -&gt; Total Mixed<BR /> R0009 | 0 -&gt; Result (0 = OK, 1 = Not OK)</P> <P>I need to arrange the data to look as below<BR /> Batch No |Year |Month |Day |Volume A |Volume B |Volume C |Total Mixed |Result<BR /> 1 |2018 |1 |22 |5040 |446 |189 |1099 |OK<BR /> 2 |2018 |1 |23 |5030 |435 |198 |1078 |OK</P> <P>I was looking at using the Lookup table to achieve it, but not sure how to go about doing it. Any advise is appreciated. Thank you.</P> Tue, 16 Jan 2018 01:25:42 GMT https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307014#M163612 leonheart78 2018-01-16T01:25:42Z https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307015#M163613 <P>Could you present a sample of _raw data?</P> Tue, 16 Jan 2018 02:13:43 GMT https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307015#M163613 HiroshiSatoh 2018-01-16T02:13:43Z https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307016#M163614 <P>You'll probably have better results using Field Aliases. A the name implies, field aliases let you define alternative names for some fields. You could, for example, create alias "Batch" for field "R0001", and so on. See <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Addaliasestofields">http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Addaliasestofields</A>.</P> Tue, 16 Jan 2018 02:19:16 GMT https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307016#M163614 richgalloway 2018-01-16T02:19:16Z https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307017#M163615 <P>An example<BR /> Separate key / value pairs If the delimited character is a comma</P> <PRE><CODE>|NOOP|stats count as _raw|eval _raw="R0001|1 ,R0002|2018 ,R0003|1R0004|22 ,R0005|5040 ,R0006|446 ,R0007|189 ,R0008|1099 ,R0009|0" | extract pairdelim=",", kvdelim="|" |rename R0001 as "Batch No" |rename R0002 as "Year" |rename R0003 as "Month" |rename R0004 as "Day" |rename R0005 as "Volume A" |rename R0006 as "Volume B" |rename R0007 as "Volume C" |rename R0008 as "Total Mixed" |rename R0009 as "Result" |eval Result=if(Result=0,"OK","Not OK") </CODE></PRE> Tue, 16 Jan 2018 02:35:52 GMT https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307017#M163615 HiroshiSatoh 2018-01-16T02:35:52Z https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307018#M163616 <P>hey @leonheart78</P> <P>I think the better way is to do with lookups.</P> <P><STRONG>step 1</STRONG> : Create a lookup table say <CODE>mylookup.csv</CODE> with columns <CODE>Tag</CODE> and <CODE>Description</CODE><BR /> Tag | Description<BR /> R0001 | Batch No<BR /> R0002 | Year<BR /> R0003 | Month<BR /> R0004 | Day<BR /> R0005 | Volume A <BR /> R0006 | Volume B<BR /> R0007 | Volume C<BR /> R0008 | Total Mixed<BR /> R0009 | Result (0 = OK, 1 = Not OK)</P> <P><STRONG>Step 2</STRONG> : After creating a lookup table, add the lookup table into Splunk.<BR /> Follow this doc to add <CODE>mylookup.csv</CODE> <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/PivotTutorial/AddlookupfilestoSplunk">https://docs.splunk.com/Documentation/Splunk/7.0.1/PivotTutorial/AddlookupfilestoSplunk</A></P> <P><STRONG>Step 3</STRONG> : then write this query on the search head</P> <PRE><CODE>| lookup mylookup.csv Tag OUTPUT Description | stats count by Tag Value | eval Description=case(Value=0 AND Description="Result","OK",Value=1 AND Description="Result","NOT OK",1=1,Description) </CODE></PRE> <P>I hope this helps you!</P> Tue, 16 Jan 2018 07:11:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-Data-as-Fields/m-p/307018#M163616 mayurr98 2018-01-16T07:11:24Z