https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533859#M2263 <P>Splunk Noob.<BR />I have a custom http sourcetype with multiple data sources. For one of these sources (aws:firehose), I need to concatenate a field value (ecs_task_definition) to the source value, then do a regex or an eval at some point to remove the trailing colon and numbers, preferably all at index time. I've been advised the field=ecs_task_definition will contain a few hundred dynamic values that will change from time to time, so I can't assign these statically.</P><P>My example:</P><P>sourcetype=httpevent</P><P>source=aws:billing<BR />source=aws:s3<BR />source=aws:inspector<BR />source=aws:firehose</P><P>ecs_task_definition=arc-permission-service-worker:100<BR />ecs_task_definition=arc-enrollment-service:182<BR />ecs_task_definition=arc-reporting-service:234<BR />ecs_task_definition=arc-tenant-service:332</P><P>I would like the final result to look like:</P><P>source=aws:firehose:arc-tenant-service<BR />source=aws:firehose:arc-reporting-service</P><P><BR />I have been trying to do this in props and transforms without success. I think I'm having both syntax problems added to a general lack of understanding of what I can and can't do at index time verses search time. Any help would be much appreciated. Thanks</P> Tue, 22 Dec 2020 16:11:22 GMT ictrees28 2020-12-22T16:11:22Z https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533859#M2263 <P>Splunk Noob.<BR />I have a custom http sourcetype with multiple data sources. For one of these sources (aws:firehose), I need to concatenate a field value (ecs_task_definition) to the source value, then do a regex or an eval at some point to remove the trailing colon and numbers, preferably all at index time. I've been advised the field=ecs_task_definition will contain a few hundred dynamic values that will change from time to time, so I can't assign these statically.</P><P>My example:</P><P>sourcetype=httpevent</P><P>source=aws:billing<BR />source=aws:s3<BR />source=aws:inspector<BR />source=aws:firehose</P><P>ecs_task_definition=arc-permission-service-worker:100<BR />ecs_task_definition=arc-enrollment-service:182<BR />ecs_task_definition=arc-reporting-service:234<BR />ecs_task_definition=arc-tenant-service:332</P><P>I would like the final result to look like:</P><P>source=aws:firehose:arc-tenant-service<BR />source=aws:firehose:arc-reporting-service</P><P><BR />I have been trying to do this in props and transforms without success. I think I'm having both syntax problems added to a general lack of understanding of what I can and can't do at index time verses search time. Any help would be much appreciated. Thanks</P> Tue, 22 Dec 2020 16:11:22 GMT https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533859#M2263 ictrees28 2020-12-22T16:11:22Z https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533864#M2264 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229930">@ictrees28</a>, if you are using version 7.2 or later, you can create or update any field with INGEST_EVAL easily. Since you will able to use the same syntax as EVAL, you can test your EVAL on search then apply to transform .</P><P>Sample;</P><LI-CODE lang="markup">props.conf [httpevent] TRANSFORMS-update_source = update_source transforms.conf [update_source] INGEST_EVAL = source:=source.":".mvindex(split(ecs_task_definition,":"),0)</LI-CODE><P>&nbsp;</P> Tue, 22 Dec 2020 17:02:03 GMT https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533864#M2264 scelikok 2020-12-22T17:02:03Z https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533875#M2265 <P>Thank you so much, that makes perfect sense.&nbsp; &nbsp;That said, it's still not extracting my ecs_task_definition field.&nbsp;</P><P>The internal index error message reads "<SPAN class="t">Cannot</SPAN> <SPAN class="t">parse</SPAN> <SPAN class="t a"><SPAN class="t">INGEST_EVAL</SPAN></SPAN> <SPAN class="t">statement</SPAN><SPAN> "</SPAN><SPAN class="t">source:</SPAN> <SPAN class="t">=</SPAN> <SPAN class="t">source.</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">.mvindex</SPAN><SPAN>(</SPAN><SPAN class="t">split</SPAN><SPAN>(</SPAN><SPAN class="t">ecs_task_definition</SPAN><SPAN>,"</SPAN><SPAN class="t">:</SPAN><SPAN>"),</SPAN><SPAN class="t">0</SPAN><SPAN>)" </SPAN><SPAN class="t">into</SPAN> <SPAN class="t">component</SPAN> <SPAN class="t">parts</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t"><SPAN class="t h">update</SPAN>_source</SPAN></P><P><SPAN class="t">Not sure what I'm doing wrong.&nbsp; </SPAN></P> Tue, 22 Dec 2020 19:08:14 GMT https://community.splunk.com/t5/Splunk-ITSI/concatenate-a-field-to-my-source-and-regex-the-result/m-p/533875#M2265 ictrees28 2020-12-22T19:08:14Z