Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to rename column values when making a chart

sakeebhossain
Explorer
‎04-28-2017 07:12 AM

I have a table which has a store_id, a shopper_id. For example (1, 5231). Each store_id corresponds to a the store name, i.e. For store_id, 1 refers to Walmart, 2 refers to Whole Food and 3 refers to Costco.

If I want to see how many shoppers each store has. If I do the query

source=SHOPER_AUDIT | top store_id

then I get what I want. However, the Y-axis store has store_id as 1,2 or 3. I want to rename them to Walmart, Whole Foods and Costco, respectively. Is it possible to do this?

Reply

HeinzWaescher
Motivator
‎04-28-2017 07:47 AM

Try to add this at the end of your search

| replace 1 WITH "Walmart" , 2 WITH "WholeFood" , 2 WITH "Costco" IN store_id
Reply

bcdady
Explorer
‎07-26-2019 11:41 AM

Thanks for this reminder @HeinzWaescher. I'm working on a search/report, in which I already use replace with a wildcard to remove some redundant / superfluous text, but I hadn't yet used it like this.
This is just what I needed to improve my timechart!

0 Karma
Reply

adonio
Ultra Champion
‎04-28-2017 07:20 AM

use a lookup table? create a basic lookup that looks like this
store_id, store_name
1,walmart
2,costco
3,blah
read this docs here and follow through
http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...