Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to rename column values when making a chart

sakeebhossain
Explorer
‎04-28-2017 07:12 AM

I have a table which has a store_id, a shopper_id. For example (1, 5231). Each store_id corresponds to a the store name, i.e. For store_id, 1 refers to Walmart, 2 refers to Whole Food and 3 refers to Costco.

If I want to see how many shoppers each store has. If I do the query

source=SHOPER_AUDIT | top store_id

then I get what I want. However, the Y-axis store has store_id as 1,2 or 3. I want to rename them to Walmart, Whole Foods and Costco, respectively. Is it possible to do this?

Reply

HeinzWaescher
Motivator
‎04-28-2017 07:47 AM

Try to add this at the end of your search

| replace 1 WITH "Walmart" , 2 WITH "WholeFood" , 2 WITH "Costco" IN store_id
Reply

bcdady
Explorer
‎07-26-2019 11:41 AM

Thanks for this reminder @HeinzWaescher. I'm working on a search/report, in which I already use replace with a wildcard to remove some redundant / superfluous text, but I hadn't yet used it like this.
This is just what I needed to improve my timechart!

0 Karma
Reply

adonio
Ultra Champion
‎04-28-2017 07:20 AM

use a lookup table? create a basic lookup that looks like this
store_id, store_name
1,walmart
2,costco
3,blah
read this docs here and follow through
http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!