How to create a new field while ingesting data using ingest-time eval?

mala_splunk_91 — Fri, 31 Mar 2023 16:15:00 GMT

Hi Splunkers,

I wanted to create a new field name called "app_id" and send it along data while ingesting into Splunk.
I came accross ingest-time eval option can do so.

In my case, I want to have a field like"app_id" with its values extracted using from other fields (bolded in below ) using case condition.

app_id = case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is this a right way to add above case conditions in "Ingest_Eval" field in transforms.conf?

Like,
INGEST_EVAL= app_id=case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is there any alternate solution on this?

Please recommend.

Thanks,

Mala S

Re: Create a new field while ingesting data using ingest-time eval

richgalloway — Thu, 30 Mar 2023 20:47:53 GMT

Yes, that is the right method for using INGEST_EVAL to create a field. An important thing to note is the expression cannot reference any search-time fields (because they don't exist, yet).

What results do you get from that?

topic Re: Create a new field while ingesting data using ingest-time eval in Getting Data In

How to create a new field while ingesting data using ingest-time eval?

Re: Create a new field while ingesting data using ingest-time eval