Hi,

we have a series of indexes, storing different data structures (each with its own sourcetype) that have in them a series of fields that are common.

We wanted to have a single point of reference in the system for translations. We thought of having a specific app that has this information and applies all the configured translations in any other app, regardless of the index and or sourcetype displayed.

We thought of something like this. Inside a app, in the default section we create the following stanzas.

In the transforms.conf we add, in the standard way, the possible translations.

[glbl_common_field_a_dcdng]
default_match = "Unknown"
filename = glbl_common_field_a_dcdng.csv
min_matches = 1

[glbl_common_field_b_dcdng]
default_match = "Unknown"
filename = glbl_common_field_b_dcdng.csv
min_matches = 1

(...)

[glbl_common_field_z_dcdng]
default_match = "Unknown"
filename = glbl_common_field_z_dcdng.csv
min_matches = 1

and in the props.conf, we set a stanza with some sort of accepted wildcard that automates any possible translation. Something like below:


[*]
LOOKUP-auto_glbl_common_field_a_dcdng = glbl_common_field_a_dcdng field_a OUTPUT decode_output AS field_a_decoded
LOOKUP-auto_glbl_common_field_b_dcdd = glbl_common_field_b_dcdng field_b OUTPUT decode_output AS field_b_decoded
(...)
LOOKUP-auto_glbl_common_field_z_dcdd = glbl_common_field_z_dcdng field_z OUTPUT decode_output AS field_z_decoded


Would this work? Is there another (more efficient) way to do this?

Thanks