Splunk Search

How can I change the field values to another value ?


Hello Guys!

I need to change the values that are present in the field "Item Codigo" .
alt text

For example:

040500603S007C10 to Product 01
010300404S014C01 to Product 02

I had searching the method, i tried use eval, but no success...

0 Karma

Re: How can I change the field values to another value ?


There are a couple of ways to do that. One is with eval.

... | eval "Item Codigo"  = case ("Item Codigo"=="040500603S007C10" , "Product 01", "Item Codigo"=="010300404S014C01", "Product 02", 1==1, 'Item Codigo')

The other is with a lookup table. First, create a CSV file (I call it "items.csv") with your item numbers and names. Like this:

ItemCodigo, ItemName
040500603S007C10, Product 01
010300404S014C01, Product 02

Then reference the lookup file in your query.

... | lookup items.csv ItemCodigo as "Item Codigo" | eval "Item Codigo" = ItemName
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.