Thanks for your help! The index being used contains two values, "Timestamp" and "Animal" where each entry contains the time of the event and what kind of animal occurred; cat, dog, rat, etc. ... so,
00:01:30,Dog
00:01:31,Cat
00:01,31,Rat
00:01,45,Dog
I want to display a column chart of animals per minute, so this chart would have three "bins", the first bin containing one "Dog" column count, the second bin containing one "Cat" and one "Rat" count column, the third bin containing one "Dog" column
The query is [index="Foo" | chart count by Timestamp, Animal]
That all works, and on the right of the chart I get a legend listing "Dog", "Cat" and "Rat" corresponding to the data values for "Animal" ... what I'd like, though, is for some sort of lookup to change "Dog" to "Perro", "Cat" to "Gato" and "Rat" to "Rata" on the legend. I don't want to post-process the index itself, changing all of the "Dog"'s to "Perro"'s, and I can't change the incoming data to say "Gato" rather than "Cat" ... the change needs to happen at the time the chart is generated. Programmatically I could do it using C# and a charting package, but I was curious if that was possible using the provided Splunk stuff ..
... View more
