Replace Index Value Permanently

llow · ‎03-21-2012

I want to know how to replace a value inside in index permanently. I know I can use replace to replace it during search time but want to modify the actual value inside the index permanently.

I need this as equipment hostnames may change but I want to keep historical data for that host under the same indexed value.

araitz · ‎03-21-2012

Splunk is unlike a relational-database in that once a value is written to the index, it cannot be removed/replaced surgically.

Thus, for historical data, you will need to reindex the data in question and then use a SED command to do the replacement:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Anonymizedatausingconfigurationfiles#Through_...

Unless you reindex your old data, the replacement will be effective only for data going forward.

lguinn2 · ‎03-21-2012

You could also create a lookup table that maps ip addresses (or old hostnames) to current hostnames. Set it as an automatic lookup and you will always have a field that represents the current hostname. You will only have to maintain a text file (CSV) of the mapping - and you could automate the update of the CSV file.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

araitz · ‎03-21-2012

You could use tags on the host field, or normalize hostnames using search-time extractions. Both these approaches solve your problem without permanently replacing indexed values.

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Tagthehostfield

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Createandmaintainsearch-timefieldextract...

llow · ‎03-21-2012

Eww, there is no easier way to do this? I wanted to automate the process when a hostname change is made in our core monitoring system.

Replace Index Value Permanently

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM