Solved: Add new label or name next to value

harishnpandey · ‎04-05-2017

index=myindex FruitType="Apple" OR FruitType="Banana" AND ( FaultCode="201")|stats count by FaultCode,FruitType

Fault Code FruitType Count

201 Apple 2
201 Banana 3
202 Apple 6

is there any way I can give meaningful name to Fault Code in adjacent column name as "FaultType" and display those FaulType next to each FaultCode such as:

Fault Code Fault Type FruitType Count

201 Small size Apple 2
201 Small size Banana 3
202 Decay Apple 6

Appreciate your feedback and suggestion on this.

Thanks,
Harry

cmerriman · ‎04-07-2017

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

View solution in original post

cmerriman · ‎04-07-2017

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

harishnpandey · ‎04-07-2017

Thank you very much. your valued suggestion works for me .

Much appreciated 🙂

davebrooking · ‎04-07-2017

Hi Harry

The documentation walks you through how to do this using what Splunk call lookups.

Dave

Add new label or name next to value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!