In our logs I will get field values like
err=0
err=1
.
.
.
err=49
I am able to get the results when run search against "err" field. showing table as below
err count percent
0 10 100.00%
I want to show the results as
err count percent
Success 10 100.00%
How can I rename the values in fields,is it possible if fields value is 0 then show it as "Success"
You can use a lookup. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources
So the search would be something like: foo_search| lookup ldapLookup err OUTPUT description | top description
You can use a lookup. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources
So the search would be something like: foo_search| lookup ldapLookup err OUTPUT description | top description
this works awesome. Thanks for prompt response
Here are the Steps I followed
1)Created ldap_errcodes.csv as below
err,ldaperr_description
1,Operations error
2,Protocol error
2)uploaded this file to Manger>Lookups>Look up table files
3) gave the search
err| lookup ldap_errcodes.csv err OUTPUT ldaperr_description |top err,ldaperr_description