Splunk Dev

Add new label or name next to value

harishnpandey
Explorer

index=myindex FruitType="Apple" OR FruitType="Banana" AND ( FaultCode="201")|stats count by FaultCode,FruitType

Fault Code FruitType Count

201 Apple 2
201 Banana 3
202 Apple 6

is there any way I can give meaningful name to Fault Code in adjacent column name as "FaultType" and display those FaulType next to each FaultCode such as:

Fault Code Fault Type FruitType Count

201 Small size Apple 2
201 Small size Banana 3
202 Decay Apple 6

Appreciate your feedback and suggestion on this.

Thanks,
Harry

Tags (2)
0 Karma
1 Solution

cmerriman
Super Champion

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

View solution in original post

cmerriman
Super Champion

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

harishnpandey
Explorer

Thank you very much. your valued suggestion works for me .

Much appreciated 🙂

0 Karma

davebrooking
Contributor

Hi Harry

The documentation walks you through how to do this using what Splunk call lookups.

Dave

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...