Ya, I didn't get that either... I ended up simply using REX:

rex field=mount mode=sed "s/space/Splunk DB location/g"

This takes the value "space" in the mount field (this is a df output) and replaces the word "space" with "Splunk DB location".

and for some reason Comments like to remove my *'s from my searches. Will post what i mean as an answer...

Maybe I miss-understood the question, but this didn't work for me; but the "replace" command worked great. Reference here:

http://answers.splunk.com/answers/7077/how-can-i-rename-the-host-names-for-my-chart.html

For some reason Scorecard won't show up w/ this search. sourcetype="EPPWEB" source="/opt/log//web_server/info.log" WAT | rex field=_raw "USER (?P[\d+-\w\w]) downloading ./(?.+?)$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=-.pdf NOT filename=-_.pdf | stats count by registrar, filename | eval Actual=case(filename="Statement.pdf","Billing Statement",filename="Invoice.pdf","Billing Invoice",filename="text.txt","Billing Text",filename="-*.pdf","Scorecard")

filename="-.pdf","Scorecard" is what I have at the end. I'm wondering if it's because of how it's defined earlier in the search with the NOT command?

haha yup eval can be used with just about anything...you can dig deeper by surrounding the eval with a coalesce for unknown values like coalesce(case(...),"unknown") and that will replace unknown definitions as "unknown"