Ingest-time EVAL configuration

me74fhfd — Thu, 15 Oct 2020 09:31:22 GMT

Hi all,

In this example I want to use existing field Request64 from index index_new and decode it on ingest-time to produce RequestD base64 decoded field in same index. Can you please suggest if following config is valid for this operation:

$ inputs.conf
[monitor:///$SPLUNK_DB/index_new/db]
index=index_new
sourcetype= ST_NEW_DATA

$ cat props.conf
[ST_NEW_DATA]
TRANSFORMS-b64 = Request_t

$ transforms.conf
[Request_t]
INGEST_EVAL = RequestD=base64 field=Request64 action=decode mode=replace suppress_error=True

$ fields.conf
[RequestD]
INDEXED = True

This is macro to decode data:
https://splunkbase.splunk.com/app/1922/#/details

This is dump of index metadata to find monitor path:
| rest /services/data/indexes

coldPath
$SPLUNK_DB/index_new/colddb
coldPath_expanded
/opt/org/splunk_data/splunk/index_new/colddb
homePath
$SPLUNK_DB/index_new/db
homePath_expanded
/opt/org/splunk_data/splunk/index_new/db
id
https://127.0.0.1:8089/servicesNS/nobody/search/data/indexes/index_new
summaryHomePath_expanded
/opt/org/splunk_data/splunk/index_new/summary
thawedPath
$SPLUNK_DB/index_new/thaweddb
tstatsHomePath_expanded
/opt/org/splunk_data/splunk/index_new/datamodel_summary

Re: Ingest-time EVAL configuration

thambisetty — Thu, 15 Oct 2020 09:41:19 GMT

why can't you decode just at search time?

[ST_NEW_DATA]
EVAL-RequestD = urldecode(Request64)

Re: Ingest-time EVAL configuration

me74fhfd — Thu, 15 Oct 2020 10:04:06 GMT

No thats not an option here, takes too much of CPU .

topic Re: Ingest-time EVAL configuration in Splunk Dev

Ingest-time EVAL configuration

Re: Ingest-time EVAL configuration

Re: Ingest-time EVAL configuration