Re: How to rename column values when making a char...

sakeebhossain · ‎04-28-2017

I have a table which has a store_id, a shopper_id. For example (1, 5231). Each store_id corresponds to a the store name, i.e. For store_id, 1 refers to Walmart, 2 refers to Whole Food and 3 refers to Costco.

If I want to see how many shoppers each store has. If I do the query

source=SHOPER_AUDIT | top store_id

then I get what I want. However, the Y-axis store has store_id as 1,2 or 3. I want to rename them to Walmart, Whole Foods and Costco, respectively. Is it possible to do this?

HeinzWaescher · ‎04-28-2017

Try to add this at the end of your search

| replace 1 WITH "Walmart" , 2 WITH "WholeFood" , 2 WITH "Costco" IN store_id

bcdady · ‎07-26-2019

Thanks for this reminder @HeinzWaescher. I'm working on a search/report, in which I already use replace with a wildcard to remove some redundant / superfluous text, but I hadn't yet used it like this.
This is just what I needed to improve my timechart!

adonio · ‎04-28-2017

use a lookup table? create a basic lookup that looks like this
store_id, store_name
1,walmart
2,costco
3,blah
read this docs here and follow through
http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Addfieldsfromexternaldatasources

How to rename column values when making a chart

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...