Solved: How to fake field values

splunkatl · ‎10-09-2012

In our logs I will get field values like
err=0
err=1
.
.
.
err=49

I am able to get the results when run search against "err" field. showing table as below
err count percent
0 10 100.00%

I want to show the results as
err count percent
Success 10 100.00%

How can I rename the values in fields,is it possible if fields value is 0 then show it as "Success"

alacercogitatus · ‎10-09-2012

You can use a lookup. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources

So the search would be something like: foo_search| lookup ldapLookup err OUTPUT description | top description

View solution in original post

alacercogitatus · ‎10-09-2012

You can use a lookup. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources

So the search would be something like: foo_search| lookup ldapLookup err OUTPUT description | top description

splunkatl · ‎10-09-2012

this works awesome. Thanks for prompt response
Here are the Steps I followed
1)Created ldap_errcodes.csv as below
err,ldaperr_description
1,Operations error
2,Protocol error
2)uploaded this file to Manger>Lookups>Look up table files
3) gave the search
err| lookup ldap_errcodes.csv err OUTPUT ldaperr_description |top err,ldaperr_description

How to fake field values

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases