Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Replace Index Value Permanently

llow
Explorer
‎03-21-2012 10:10 AM

I want to know how to replace a value inside in index permanently. I know I can use replace to replace it during search time but want to modify the actual value inside the index permanently.

I need this as equipment hostnames may change but I want to keep historical data for that host under the same indexed value.

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:39 AM

Splunk is unlike a relational-database in that once a value is written to the index, it cannot be removed/replaced surgically.

Thus, for historical data, you will need to reindex the data in question and then use a SED command to do the replacement:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Anonymizedatausingconfigurationfiles#Through_...

Unless you reindex your old data, the replacement will be effective only for data going forward.

Reply

lguinn2
Legend
‎03-21-2012 03:00 PM

You could also create a lookup table that maps ip addresses (or old hostnames) to current hostnames. Set it as an automatic lookup and you will always have a field that represents the current hostname. You will only have to maintain a text file (CSV) of the mapping - and you could automate the update of the CSV file.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:54 AM

You could use tags on the host field, or normalize hostnames using search-time extractions. Both these approaches solve your problem without permanently replacing indexed values.

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Tagthehostfield

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Createandmaintainsearch-timefieldextract...

0 Karma
Reply

llow
Explorer
‎03-21-2012 10:42 AM

Eww, there is no easier way to do this? I wanted to automate the process when a hostname change is made in our core monitoring system.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...