Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add new label or name next to value

harishnpandey
Explorer
‎04-05-2017 12:36 PM

index=myindex FruitType="Apple" OR FruitType="Banana" AND ( FaultCode="201")|stats count by FaultCode,FruitType

Fault Code FruitType Count

201 Apple 2
201 Banana 3
202 Apple 6

is there any way I can give meaningful name to Fault Code in adjacent column name as "FaultType" and display those FaulType next to each FaultCode such as:

Fault Code Fault Type FruitType Count

201 Small size Apple 2
201 Small size Banana 3
202 Decay Apple 6

Appreciate your feedback and suggestion on this.

Thanks,
Harry

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎04-07-2017 04:54 AM

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎04-07-2017 04:54 AM

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

Reply
Solved! Jump to solution

harishnpandey
Explorer
‎04-07-2017 11:44 AM

Thank you very much. your valued suggestion works for me .

Much appreciated 🙂

0 Karma
Reply
Solved! Jump to solution

davebrooking
Contributor
‎04-07-2017 03:43 AM

Hi Harry

The documentation walks you through how to do this using what Splunk call lookups.

Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...