|
I want to know how to replace a value inside in index permanently. I know I can use replace to replace it during search time but want to modify the actual value inside the index permanently. I need this as equipment hostnames may change but I want to keep historical data for that host under the same indexed value. |
|
Splunk is unlike a relational-database in that once a value is written to the index, it cannot be removed/replaced surgically. Thus, for historical data, you will need to reindex the data in question and then use a SED command to do the replacement: Unless you reindex your old data, the replacement will be effective only for data going forward. Eww, there is no easier way to do this? I wanted to automate the process when a hostname change is made in our core monitoring system.
(21 Mar '12, 10:42)
llow
You could use tags on the host field, or normalize hostnames using search-time extractions. Both these approaches solve your problem without permanently replacing indexed values. http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Tagthehostfield
(21 Mar '12, 10:54)
araitz ♦
You could also create a lookup table that maps ip addresses (or old hostnames) to current hostnames. Set it as an automatic lookup and you will always have a field that represents the current hostname. You will only have to maintain a text file (CSV) of the mapping - and you could automate the update of the CSV file. http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions
(21 Mar '12, 15:00)
lguinn ♦
|
