Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to rename column values when making a chart

sakeebhossain
Explorer
‎04-28-2017 07:12 AM

I have a table which has a store_id, a shopper_id. For example (1, 5231). Each store_id corresponds to a the store name, i.e. For store_id, 1 refers to Walmart, 2 refers to Whole Food and 3 refers to Costco.

If I want to see how many shoppers each store has. If I do the query

source=SHOPER_AUDIT | top store_id

then I get what I want. However, the Y-axis store has store_id as 1,2 or 3. I want to rename them to Walmart, Whole Foods and Costco, respectively. Is it possible to do this?

Reply

HeinzWaescher
Motivator
‎04-28-2017 07:47 AM

Try to add this at the end of your search

| replace 1 WITH "Walmart" , 2 WITH "WholeFood" , 2 WITH "Costco" IN store_id
Reply

bcdady
Explorer
‎07-26-2019 11:41 AM

Thanks for this reminder @HeinzWaescher. I'm working on a search/report, in which I already use replace with a wildcard to remove some redundant / superfluous text, but I hadn't yet used it like this.
This is just what I needed to improve my timechart!

0 Karma
Reply

adonio
Ultra Champion
‎04-28-2017 07:20 AM

use a lookup table? create a basic lookup that looks like this
store_id, store_name
1,walmart
2,costco
3,blah
read this docs here and follow through
http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!