Human Redable Legend text without using case

Question

Hi,

My log snippet is as shown below:

productid=12 email=abc@gg.com 
productid=13 email=pqr@aa.com 
productid=14 email=xyz@cc.com 
productid=15 email=xyz@cc.com

I've a timechart with below query:

index=myindex sourcetype=mylog
| eval    
productname=case(productid==12,"Product1",productid==13,"Product2",productid==14,"Product3")
| timechart count by productname usenull=f

Here, I'm using case since I need to show legend in human readable format but the problem is that I may have more than 15 productids in future. And I don't want to hard code them all in case condition. Is there any other way to display legend without this comparision?

Any help is much appreciated!

Thanks!

Answer 1

2

Have you looked into using a lookup to translate productid to human readable product names?

Take a look at http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources?r=searchtip -> it's a really powerful and handy command.

Brian

link

answered 06 Mar '12, 12:00

Brian Osburn
211●1●2●21
accept rate: 23%

Human Redable Legend text without using case

Follow this question

Splunk Resources

Related questions