<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Ingest-time lookup in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/563238#M100356</link>
    <description>&lt;P&gt;You should be able to see relevant messages in splunkd.log which should be visible in _internal. As you pointed out, ingest time lookups depend on fields being present when events are retrieved from the index, are you sure those fields are index time fields ?&lt;/P&gt;</description>
    <pubDate>Fri, 13 Aug 2021 18:47:57 GMT</pubDate>
    <dc:creator>jpathak_splunk</dc:creator>
    <dc:date>2021-08-13T18:47:57Z</dc:date>
    <item>
      <title>Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/537915#M90160</link>
      <description>&lt;P&gt;Hello, has anyone worked with ingest-time lookup and familiar with it?&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/IngestLookups" target="_blank" rel="noopener"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/IngestLookups&lt;/A&gt;&lt;/P&gt;&lt;P&gt;I'm confused on where the lookup is supposed to be. &amp;nbsp;Since this is an ingest-time process, I would think it would need to be in the indexers, but the doc isn't too clear on it.&lt;/P&gt;&lt;P&gt;Also regarding the actual stanza syntax, I'm trying to see if this works:&lt;/P&gt;&lt;P&gt;Lookup command:&lt;/P&gt;&lt;P&gt;lookup test field1 AS new_field1 field2 OUTPUT field3&lt;/P&gt;&lt;P&gt;[lookup-extract]&lt;BR /&gt;INGEST_EVAL= field3=json_extract(lookup("test", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3")&lt;/P&gt;&lt;P&gt;Any help would be appreciated.&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jan 2021 20:45:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/537915#M90160</guid>
      <dc:creator>tah7004</dc:creator>
      <dc:date>2021-01-29T20:45:27Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/537993#M90178</link>
      <description>&lt;P&gt;Ingest-time lookups have to be on whatever server is first performing the parsing phase.&amp;nbsp; Normally that will be your indexer, but could also be on a heavy forwarder (or other Splunk Enterprise if they are where the data is being ingested).&amp;nbsp;&amp;nbsp;&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&lt;BR /&gt;The Indexer (or other) will use their own knowledge objects, so get the lookup, props, and transforms on the server doing parsing.&amp;nbsp;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 31 Jan 2021 04:04:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/537993#M90178</guid>
      <dc:creator>The_Simko</dc:creator>
      <dc:date>2021-01-31T04:04:33Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/538090#M90199</link>
      <description>&lt;P&gt;Does the lookup have to be in&amp;nbsp;&lt;SPAN&gt;$SPLUNK_HOME/etc/system/lookups?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I tried putting the lookup file and the props/transforms. conf in the indexers as an app, but that didn't work for me.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;I also tried the lookup() function as an eval in test searches, but that isn't working. &amp;nbsp;I was following the lookup function guide here:&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/ConditionalFunctions" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/ConditionalFunctions&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 01 Feb 2021 14:11:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/538090#M90199</guid>
      <dc:creator>tah7004</dc:creator>
      <dc:date>2021-02-01T14:11:23Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/538287#M90235</link>
      <description>&lt;P&gt;Some updates. &amp;nbsp;&lt;/P&gt;&lt;P&gt;I was able to get the lookup() function working via test searches. &amp;nbsp;My original lookup didn't work because it was too big at 1.5 G and I had to increase the max_mem_bytes in limits.conf.&lt;/P&gt;&lt;P&gt;Now, for the actual ingest-time lookup, I'm still not able to get it working with a test lookup file I created. &amp;nbsp;I think my initial struggles were due to some of the fields used for lookup are not indexed fields. &amp;nbsp;&lt;/P&gt;&lt;P&gt;I converted those fields as indexed fields using ingest_eval and also increased the ingest_max_mem_bytes as suggested by the doc.&lt;/P&gt;&lt;P&gt;Is there specific internal logs to watch out for as to why the ingest-time lookup failed?&lt;/P&gt;&lt;P&gt;I'm not having any luck digging through the _internal logs.&lt;/P&gt;</description>
      <pubDate>Tue, 02 Feb 2021 14:05:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/538287#M90235</guid>
      <dc:creator>tah7004</dc:creator>
      <dc:date>2021-02-02T14:05:59Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/563238#M100356</link>
      <description>&lt;P&gt;You should be able to see relevant messages in splunkd.log which should be visible in _internal. As you pointed out, ingest time lookups depend on fields being present when events are retrieved from the index, are you sure those fields are index time fields ?&lt;/P&gt;</description>
      <pubDate>Fri, 13 Aug 2021 18:47:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/563238#M100356</guid>
      <dc:creator>jpathak_splunk</dc:creator>
      <dc:date>2021-08-13T18:47:57Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746008#M118560</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/168428"&gt;@tah7004&lt;/a&gt;&amp;nbsp; To use ingest-time lookup, the field you want to apply must be specified as an indexed-field. You can apply it successfully by configuring the configuration file as follows.&lt;/P&gt;&lt;P&gt;1. $SPLUNK_HOME/etc/apps/myapp/lookups/test.csv&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;field1,field2,field3
value1,value2,value3&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;2. $SPLUNK_HOME/etc/apps/myapp/local/props.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[test_ingest_lookup]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
TRANSFORMS-ingest_time_lookup = regex_extract_av_pairs, lookup_extract&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;3. $SPLUNK_HOME/etc/apps/myapp/local/transforms.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[regex_extract_av_pairs]
SOURCE_KEY = _raw
REGEX = \s([a-zA-Z][a-zA-Z0-9-]+)=([^\s"',]+)
REPEAT_MATCH = true
FORMAT = $1::"$2"
WRITE_META = true

[lookup_extract]
INGEST_EVAL= field3=json_extract(lookup("test.csv", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3")&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;You can refer to another solution using &lt;STRONG&gt;INDEXED_EXTRACTIONS=json&lt;/STRONG&gt; in the link below.&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;- Splunkデータ取り込み時の絞り込み方法(リストマッチ)&lt;BR /&gt;&lt;A title=" You can refer to another solution using INDEXED_EXTRACTIONS=json in the link below." href="https://qiita.com/chobiyu/items/aec5ef3a75a8bab96546" target="_self"&gt;https://qiita.com/chobiyu/items/aec5ef3a75a8bab96546&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 26 May 2025 09:04:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746008#M118560</guid>
      <dc:creator>victor1004k</dc:creator>
      <dc:date>2025-05-26T09:04:39Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746024#M118567</link>
      <description>&lt;P&gt;Not necessarily. You can use an output of a function operating on _raw as argument to the lookup() function.&lt;/P&gt;</description>
      <pubDate>Tue, 13 May 2025 07:24:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746024#M118567</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2025-05-13T07:24:11Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746035#M118571</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/168428"&gt;@tah7004&lt;/a&gt;&amp;nbsp; OK! Bellow is the answer you talk about.&lt;BR /&gt;&lt;BR /&gt;1.&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;$SPLUNK_HOME/etc/apps/myapp/local/&lt;/SPAN&gt;props.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;TRANSFORMS-ingest_time_lookup = lookup_extract&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;2.&amp;nbsp; &lt;SPAN&gt;$SPLUNK_HOME/etc/apps/myapp/local/&lt;/SPAN&gt;transforms.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[lookup_extract]
INGEST_EVAL= field1=replace(_raw, ".*field1=([0-9A-Za-Z.]+).*", "\1"), field2=replace(_raw, ".*field2=([0-9A-Za-Z.]+).*", "\1"), field3=json_extract(lookup("test.csv", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3")&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 26 May 2025 09:04:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746035#M118571</guid>
      <dc:creator>victor1004k</dc:creator>
      <dc:date>2025-05-26T09:04:59Z</dc:date>
    </item>
    <item>
      <title>Re: Ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746341#M118621</link>
      <description>One another comment. Don't use .../etc/system/local for (almost) anything! Create your own app and use it to store your conf files. In that way everything is working much better in long run.</description>
      <pubDate>Fri, 16 May 2025 15:58:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Ingest-time-lookup/m-p/746341#M118621</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2025-05-16T15:58:58Z</dc:date>
    </item>
  </channel>
</rss>

