Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Update a Datamodel Field from a look up

robertlynch2020
Influencer
‎07-27-2017 05:16 AM

I have a DataModel field like below, there are many unique entries

NICKNAME
mx
smcrisk_engine
mxtraderepository_engine
smcobjectrepository_engine
mxmlexchange_mxtaskxa
mxdealscanner_engine
mx_cesar
mx_marketdata_repository_engine
mxprocessingscript

I have a lookup that i want to use to update the datamodels values.

NICKNAME Human_Name_Nickname
mx MX_BASIC
smcrisk_engine RISK_ENGINE
mxtraderepository_engine MX_TRADE_REPO_ENGINE
smcobjectrepository_engine SM_ENGINE
mxmlexchange_mxtaskxa MXMLEXCHANGE
mxdealscanner_engine DEAL_SCANNER
mx_cesar CESAR
mx_marketdata_repository_engine MARKET_DATA
mxprocessingscript PROCESSING_SCRIPT

So for example if i have a NICKNAME="mx" i want this replaced with "MX_BASIC".
I have looked at the lookup editor, but it seems you cant put in logic?

is this correct?

alt text

Preview file
66 KB
0 Karma
Reply

DalJeanis
Legend
‎07-27-2017 04:56 PM

Well, you can't do it through that interface, but you COULD download the datamodel as a JSON, then use a program to modify the JSON files that describe the data model to the system, and finally upload the modified datamodel.

See this page for instructions - http://docs.splunk.com/Documentation/Splunk/6.6.2/Knowledge/Managedatamodels

If you decide to attempt that route, then I'd suggest you copy, rather than modify, the existing datamodel and see how well it works. I'd expect you'd have a fair amount of tweaking to do on your program before it was all clean and happy.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...