topic Re: Eval Expression filter ingestion actions in Splunk Enterprise

Eval Expression filter ingestion actions

vishalduttauk — Fri, 18 Jul 2025 14:18:55 GMT

I am ingesting data from the Splunk Add on for O365. I want to use the Eval Expression filter within an ingestion action to filter what email addresses we ingest data from. Sampling the data is easy but the next bit isn't. I drop events where the RecipientAddress is not splunk.test@test.co.uk.

Creating an | eval within a search is simple but creating something that works for a filter using eval expression, which drops Events is where i am struggling.

Our Exchange/Entra team are having problems limiting the online mailboxes the Splunk application which is why I am looking at this workaround.

Ignore the application thats tagged as we are using Enterprise 9.3.4. Can you help?

Re: Eval Expression filter ingestion actions

livehybrid — Fri, 18 Jul 2025 14:48:31 GMT

Hi @vishalduttauk

Can you share the eval you created which works in the search and I can check this against Ingest Actions.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Eval Expression filter ingestion actions

vishalduttauk — Fri, 18 Jul 2025 15:02:08 GMT

Hi @livehybrid, Here is the eval which works on the search | eval match=if(RecipientAddress="splunk.test@vwfs.co.uk",1,0) | search match=1

Re: Eval Expression filter ingestion actions

vishalduttauk — Fri, 18 Jul 2025 15:16:47 GMT

I might have a solution now by using this statement:

NOT match(_raw,"splunk.test@test.co.uk")

Re: Eval Expression filter ingestion actions

PickleRick — Sat, 19 Jul 2025 08:07:25 GMT

The typical issue when working in the ingest pipeline is that you don't have search-time field extracted at this point. You must work on raw event contents.

Re: Eval Expression filter ingestion actions

PrewinThomas — Tue, 22 Jul 2025 05:05:30 GMT

@vishalduttauk

In a regular search, RecipientAddress is extracted at search time, so you can use it directly in eval. But in Ingest Actions, you're working with the raw event stream before field extractions happen.

But you can use this as workaround to drop events that contain this email address.

NOT match(_raw, "splunk\.test@test\.co\.uk")

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Eval Expression filter ingestion actions

vishalduttauk — Tue, 22 Jul 2025 07:38:18 GMT

Thank you Prewin that has worked