<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Struggling with ingest-time lookup in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Struggling-with-ingest-time-lookup/m-p/547310#M91101</link>
    <description>&lt;P&gt;Trying to do a lookup in ingest-time according to &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/IngestLookups" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/IngestLookups&lt;/A&gt; and can't get it to work.&lt;/P&gt;&lt;P&gt;If I do a simple transform like&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[my-test-eval]
INGEST_EVAL = test=spath(_raw,"Event.System.Computer")&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I properly get the &lt;EM&gt;test&lt;/EM&gt; field propagated with a value extracted from the event. (as you probably guessed - it's a typical windows XML-formed event).&lt;/P&gt;&lt;P&gt;But if I want to use the value retrieved from the event to perform a lookup... sorry, won't happen. And I have no clue why.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[my-test-eval]
INGEST_EVAL = test=coalesce(json_extract(lookup("test.csv",json_object("Key",spath(_raw,"Event.System.Computer"),json_array("Value")),"Value"),"default")&lt;/LI-CODE&gt;&lt;P&gt;There is no test field in the ingested event. Not even having the "default" value.&lt;/P&gt;&lt;P&gt;&amp;nbsp;I tried giving the lookup name as defined in transforms.conf as well as the csv filename itself. I tried putting the lookup in app context as well as in system/local. Nothing works.&lt;/P&gt;&lt;P&gt;To make things more interesting - if I did some mistake in defining the lookup (like giving wrong column name), I'd get an error in the splunkd.log so it would be obvious that something is not right.&lt;/P&gt;&lt;P&gt;But the problem is I don't get any errors, the transform therefore should be working but it isn't. So I'm completely stuck here.&lt;/P&gt;&lt;P&gt;How to debug this thing?&lt;/P&gt;</description>
    <pubDate>Fri, 09 Apr 2021 08:24:44 GMT</pubDate>
    <dc:creator>PickleRick</dc:creator>
    <dc:date>2021-04-09T08:24:44Z</dc:date>
    <item>
      <title>Struggling with ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Struggling-with-ingest-time-lookup/m-p/547310#M91101</link>
      <description>&lt;P&gt;Trying to do a lookup in ingest-time according to &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/IngestLookups" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/IngestLookups&lt;/A&gt; and can't get it to work.&lt;/P&gt;&lt;P&gt;If I do a simple transform like&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[my-test-eval]
INGEST_EVAL = test=spath(_raw,"Event.System.Computer")&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I properly get the &lt;EM&gt;test&lt;/EM&gt; field propagated with a value extracted from the event. (as you probably guessed - it's a typical windows XML-formed event).&lt;/P&gt;&lt;P&gt;But if I want to use the value retrieved from the event to perform a lookup... sorry, won't happen. And I have no clue why.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[my-test-eval]
INGEST_EVAL = test=coalesce(json_extract(lookup("test.csv",json_object("Key",spath(_raw,"Event.System.Computer"),json_array("Value")),"Value"),"default")&lt;/LI-CODE&gt;&lt;P&gt;There is no test field in the ingested event. Not even having the "default" value.&lt;/P&gt;&lt;P&gt;&amp;nbsp;I tried giving the lookup name as defined in transforms.conf as well as the csv filename itself. I tried putting the lookup in app context as well as in system/local. Nothing works.&lt;/P&gt;&lt;P&gt;To make things more interesting - if I did some mistake in defining the lookup (like giving wrong column name), I'd get an error in the splunkd.log so it would be obvious that something is not right.&lt;/P&gt;&lt;P&gt;But the problem is I don't get any errors, the transform therefore should be working but it isn't. So I'm completely stuck here.&lt;/P&gt;&lt;P&gt;How to debug this thing?&lt;/P&gt;</description>
      <pubDate>Fri, 09 Apr 2021 08:24:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Struggling-with-ingest-time-lookup/m-p/547310#M91101</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2021-04-09T08:24:44Z</dc:date>
    </item>
    <item>
      <title>Re: Struggling with ingest-time lookup</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Struggling-with-ingest-time-lookup/m-p/547314#M91102</link>
      <description>&lt;P&gt;OK. I re-checked it after writing the post (it usually works this way - I struggle with something for a few hours, then ask on community, then have an epiphany &lt;span class="lia-unicode-emoji" title=":rolling_on_the_floor_laughing:"&gt;🤣&lt;/span&gt;). And it seems I had parentheses wrong in the eval expression. Which only shows how annoying this whole construct is because you don't get any errors in logs so it's hard to troubleshoot it.&lt;/P&gt;</description>
      <pubDate>Fri, 09 Apr 2021 08:36:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Struggling-with-ingest-time-lookup/m-p/547314#M91102</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2021-04-09T08:36:16Z</dc:date>
    </item>
  </channel>
</rss>

