Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add new label or name next to value

harishnpandey
Explorer
‎04-05-2017 12:36 PM

index=myindex FruitType="Apple" OR FruitType="Banana" AND ( FaultCode="201")|stats count by FaultCode,FruitType

Fault Code FruitType Count

201 Apple 2
201 Banana 3
202 Apple 6

is there any way I can give meaningful name to Fault Code in adjacent column name as "FaultType" and display those FaulType next to each FaultCode such as:

Fault Code Fault Type FruitType Count

201 Small size Apple 2
201 Small size Banana 3
202 Decay Apple 6

Appreciate your feedback and suggestion on this.

Thanks,
Harry

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎04-07-2017 04:54 AM

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎04-07-2017 04:54 AM

you could create a lookup for each code and input it, as @davebrooking says in the comments. If there are only a few codes, you could create an eval statement. I wouldn't recommend that for a lot of codes, only because it could get very long, though you could put it in a macro and use it in other searches as well.

|eval FaultType=case(FaultCode="201","Small Size",FaultCode="202","Decay")

http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Definesearchmacros

Reply
Solved! Jump to solution

harishnpandey
Explorer
‎04-07-2017 11:44 AM

Thank you very much. your valued suggestion works for me .

Much appreciated 🙂

0 Karma
Reply
Solved! Jump to solution

davebrooking
Contributor
‎04-07-2017 03:43 AM

Hi Harry

The documentation walks you through how to do this using what Splunk call lookups.

Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...