Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Update a Datamodel Field from a look up

robertlynch2020
Motivator
‎07-27-2017 05:16 AM

I have a DataModel field like below, there are many unique entries

NICKNAME
mx
smcrisk_engine
mxtraderepository_engine
smcobjectrepository_engine
mxmlexchange_mxtaskxa
mxdealscanner_engine
mx_cesar
mx_marketdata_repository_engine
mxprocessingscript

I have a lookup that i want to use to update the datamodels values.

NICKNAME Human_Name_Nickname
mx MX_BASIC
smcrisk_engine RISK_ENGINE
mxtraderepository_engine MX_TRADE_REPO_ENGINE
smcobjectrepository_engine SM_ENGINE
mxmlexchange_mxtaskxa MXMLEXCHANGE
mxdealscanner_engine DEAL_SCANNER
mx_cesar CESAR
mx_marketdata_repository_engine MARKET_DATA
mxprocessingscript PROCESSING_SCRIPT

So for example if i have a NICKNAME="mx" i want this replaced with "MX_BASIC".
I have looked at the lookup editor, but it seems you cant put in logic?

is this correct?

alt text

Preview file
1 KB
0 Karma
Reply

DalJeanis
Legend
‎07-27-2017 04:56 PM

Well, you can't do it through that interface, but you COULD download the datamodel as a JSON, then use a program to modify the JSON files that describe the data model to the system, and finally upload the modified datamodel.

See this page for instructions - http://docs.splunk.com/Documentation/Splunk/6.6.2/Knowledge/Managedatamodels

If you decide to attempt that route, then I'd suggest you copy, rather than modify, the existing datamodel and see how well it works. I'd expect you'd have a fair amount of tweaking to do on your program before it was all clean and happy.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...