https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90592#M23276 <P>hello,</P> <P>I have this following log in Splunk:</P> <PRE><CODE>RS:D2T,PAN:1/1,Req:fr18126,User:a169805,TKN:g00e29dfd883effecba,H:W60080,SN:UTKBENCH,RC:000,TIME:180ms </CODE></PRE> <P>I create a field RC which correspond and now I want to associate to each value of RC a value in splunk. For example I want to say where RC=000 the value is "ok". I know that I can add in my search "eval serieRC=case("RC=000,"ok",...)" but there are a lot of values and if there are a new value later, I have to modify all my search which take account this field to associate a new value. So I want to know if there is an other solution to this problem. I saw that there is "field transformation" but I don't understand very well how associate a value X to a value Y which is in the log for the field "RC".</P> <P>Thanks by advance to your help.</P> <P>Laura</P> Wed, 04 Jul 2012 13:21:52 GMT LauraBre 2012-07-04T13:21:52Z https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90592#M23276 <P>hello,</P> <P>I have this following log in Splunk:</P> <PRE><CODE>RS:D2T,PAN:1/1,Req:fr18126,User:a169805,TKN:g00e29dfd883effecba,H:W60080,SN:UTKBENCH,RC:000,TIME:180ms </CODE></PRE> <P>I create a field RC which correspond and now I want to associate to each value of RC a value in splunk. For example I want to say where RC=000 the value is "ok". I know that I can add in my search "eval serieRC=case("RC=000,"ok",...)" but there are a lot of values and if there are a new value later, I have to modify all my search which take account this field to associate a new value. So I want to know if there is an other solution to this problem. I saw that there is "field transformation" but I don't understand very well how associate a value X to a value Y which is in the log for the field "RC".</P> <P>Thanks by advance to your help.</P> <P>Laura</P> Wed, 04 Jul 2012 13:21:52 GMT https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90592#M23276 LauraBre 2012-07-04T13:21:52Z https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90593#M23277 <P>The answer to your problem is the use of lookup tables. There is an excellent example/tutorial on their use here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/Fieldlookupstutorial">http://docs.splunk.com/Documentation/Splunk/latest/User/Fieldlookupstutorial</A>.</P> <P>This way you can just add new values to the lookup files later without having to change your saved search.</P> <P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 04 Jul 2012 13:52:24 GMT https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90593#M23277 rturk 2012-07-04T13:52:24Z https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90594#M23278 <P>Thx very much for your answer. I look this and try to use that.</P> Thu, 05 Jul 2012 08:55:28 GMT https://community.splunk.com/t5/Splunk-Search/Field-transformation/m-p/90594#M23278 LauraBre 2012-07-05T08:55:28Z