https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/590544#M205603 <P>Thank you, this inline search got me to where I needed to be.&nbsp;</P> Wed, 23 Mar 2022 22:53:13 GMT DenverGeo 2022-03-23T22:53:13Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/589898#M205384 <P>Hello!</P> <P>I am attempting to take a variety of values for a single field and essentially use another search from a different index to rename them to a more human readable value. Both indexes do have a field that contains a 1:1 value that I could potentially use |join, however I am having issues with the stats table output where the search is failing to pull up any data or pulling up all data despite searching for a specific value in a field. I have tried |append as well but not getting the results I expect.&nbsp;</P> <P>Example:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=index_ mac_address=* logical_vm=* state=online | stats latest(physical_vm) as server latest(ip_address) as IP latest(logical_vm) as host by mac_address | search server=z4c8h2 IP=* host=* name=* | stats count by server Output: mac_address | server | IP | host xx:xx:xx:xx:xx:xx | z4c8h2 | 10.0.0.0 | vm01.internet.io index=translate box=z4c8h2 | table human_name</LI-CODE> <P>&nbsp;</P> <P>The translate index search shows the name that I would like to replace in the index_ search for server, but cant get the stats table to update correctly.&nbsp;</P> <P>Any suggestions how to format a join/append or some other method of getting the value to update in the Stats output table?</P> Wed, 23 Mar 2022 22:58:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/589898#M205384 DenverGeo 2022-03-23T22:58:41Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/589906#M205387 <P>Sounds like you could use a lookup.</P><P>You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do</P><LI-CODE lang="markup">... | lookup server_list.csv server </LI-CODE><P>where the lookup file contains the server/human_name.</P><P>From your naming of the index, it would appear that this data is designed to be a way to translate box--&gt;human_name - is that right? If so, then lookup would seem an option.</P><P>If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.</P><P>The join option sounds simple enough</P><LI-CODE lang="markup">| join server [ index=translate | rename box as server | fields server human_name ]</LI-CODE><P>A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.</P> Mon, 21 Mar 2022 01:14:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/589906#M205387 bowesmana 2022-03-21T01:14:13Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/590544#M205603 <P>Thank you, this inline search got me to where I needed to be.&nbsp;</P> Wed, 23 Mar 2022 22:53:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-values-outputted-from-stats-with-values-from/m-p/590544#M205603 DenverGeo 2022-03-23T22:53:13Z