https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642822#M222641 <P>I believe you could use a lookup table. Create a column that matches the extracted field and another column with the additional field information. something like</P><P>statuscode&nbsp; &nbsp; &nbsp;bank&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (headers)<BR />statuscodeUSB&nbsp; &nbsp; Usbank</P><P>statuscodeIND&nbsp; &nbsp; &nbsp; Indianbank</P><P>See the docs:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents</A></P><P>&nbsp;</P><P>And, have you tried the rename command? |&nbsp;<SPAN>rename &lt;wc-field&gt; AS &lt;wc-field&gt;...</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 May 2023 12:17:10 GMT enzomialich 2023-05-10T12:17:10Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642820#M222639 <P>for e.g.</P> <P>input :&nbsp; &nbsp;I am getting result in an table format like&nbsp; statuscodeUSB&nbsp; &nbsp;35 but i wan to transform the result into some thing&nbsp; like Us Bank&nbsp; &nbsp; 35.</P> <P>Basically I want to implement logic something like this</P> <P>&nbsp;if&nbsp;&nbsp;statuscodeUSB&nbsp; then&nbsp; return Usbank</P> <P>if statuscodeIND then return indian bank</P> <P>&nbsp;</P> <P>can anyone suggest smething on this</P> Wed, 10 May 2023 17:01:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642820#M222639 ABHAYA 2023-05-10T17:01:18Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642822#M222641 <P>I believe you could use a lookup table. Create a column that matches the extracted field and another column with the additional field information. something like</P><P>statuscode&nbsp; &nbsp; &nbsp;bank&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (headers)<BR />statuscodeUSB&nbsp; &nbsp; Usbank</P><P>statuscodeIND&nbsp; &nbsp; &nbsp; Indianbank</P><P>See the docs:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents</A></P><P>&nbsp;</P><P>And, have you tried the rename command? |&nbsp;<SPAN>rename &lt;wc-field&gt; AS &lt;wc-field&gt;...</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 May 2023 12:17:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642822#M222641 enzomialich 2023-05-10T12:17:10Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642823#M222642 <P>I tried with rename command but it was not working. The input format I shared i.e. actually the result of rex&nbsp; expression.</P> Wed, 10 May 2023 12:25:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642823#M222642 ABHAYA 2023-05-10T12:25:28Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642842#M222645 <P>Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this</P><LI-CODE lang="markup">| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)</LI-CODE> Wed, 10 May 2023 13:42:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/642842#M222645 ITWhisperer 2023-05-10T13:42:42Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643001#M222718 it is working for only 1st value. Thu, 11 May 2023 09:46:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643001#M222718 ABHAYA 2023-05-11T09:46:32Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643002#M222719 <P>for 2nd&nbsp; value it is&nbsp; still displaying old value for e.g. i can see statuscodeIND not Indian bank after writing the eval expression. I&nbsp; have one more question can eval expression works only for two values or more than&nbsp; two values also.</P> Thu, 11 May 2023 09:56:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643002#M222719 ABHAYA 2023-05-11T09:56:40Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643007#M222722 <P>The case function will work for multiple values although there may be a line length limit (not sure what that might be), and the case function has to be all on one line. although it can wrap in some editors.</P> Thu, 11 May 2023 10:43:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643007#M222722 ITWhisperer 2023-05-11T10:43:06Z https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643012#M222724 <P>The above&nbsp; query worked some how buy adding one more default value in the field called status Code.Not sure what is the concept behind that.Anyway&nbsp; Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Thu, 11 May 2023 10:56:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-map-one-string-result-to-another-string-using-Splunk/m-p/643012#M222724 ABHAYA 2023-05-11T10:56:32Z