Splunk Search

Update a Datamodel Field from a look up

Motivator

I have a DataModel field like below, there are many unique entries

NICKNAME
mx
smcriskengine
mxtraderepository
engine
smcobjectrepositoryengine
mxmlexchange
mxtaskxa
mxdealscannerengine
mx
cesar
mxmarketdatarepository_engine
mxprocessingscript

I have a lookup that i want to use to update the datamodels values.

NICKNAME HumanNameNickname
mx MXBASIC
smcrisk
engine RISKENGINE
mxtraderepository
engine MXTRADEREPOENGINE
smcobjectrepository
engine SMENGINE
mxmlexchange
mxtaskxa MXMLEXCHANGE
mxdealscannerengine DEALSCANNER
mxcesar CESAR
mx
marketdatarepositoryengine MARKETDATA
mxprocessingscript PROCESSING
SCRIPT

So for example if i have a NICKNAME="mx" i want this replaced with "MX_BASIC".
I have looked at the lookup editor, but it seems you cant put in logic?

is this correct?

alt text

0 Karma

SplunkTrust
SplunkTrust

Well, you can't do it through that interface, but you COULD download the datamodel as a JSON, then use a program to modify the JSON files that describe the data model to the system, and finally upload the modified datamodel.

See this page for instructions - http://docs.splunk.com/Documentation/Splunk/6.6.2/Knowledge/Managedatamodels

If you decide to attempt that route, then I'd suggest you copy, rather than modify, the existing datamodel and see how well it works. I'd expect you'd have a fair amount of tweaking to do on your program before it was all clean and happy.

0 Karma