Re: Ingest-time EVAL configuration

me74fhfd · ‎10-15-2020

Hi all,

In this example I want to use existing field Request64 from index index_new and decode it on ingest-time to produce RequestD base64 decoded field in same index. Can you please suggest if following config is valid for this operation:

$ inputs.conf
[monitor:///$SPLUNK_DB/index_new/db]
index=index_new
sourcetype= ST_NEW_DATA

$ cat props.conf
[ST_NEW_DATA]
TRANSFORMS-b64 = Request_t

$ transforms.conf
[Request_t]
INGEST_EVAL = RequestD=base64 field=Request64 action=decode mode=replace suppress_error=True

$ fields.conf
[RequestD]
INDEXED = True

This is macro to decode data:
https://splunkbase.splunk.com/app/1922/#/details

This is dump of index metadata to find monitor path:
| rest /services/data/indexes

coldPath
$SPLUNK_DB/index_new/colddb
coldPath_expanded
/opt/org/splunk_data/splunk/index_new/colddb
homePath
$SPLUNK_DB/index_new/db
homePath_expanded
/opt/org/splunk_data/splunk/index_new/db
id
https://127.0.0.1:8089/servicesNS/nobody/search/data/indexes/index_new
summaryHomePath_expanded
/opt/org/splunk_data/splunk/index_new/summary
thawedPath
$SPLUNK_DB/index_new/thaweddb
tstatsHomePath_expanded
/opt/org/splunk_data/splunk/index_new/datamodel_summary

me74fhfd · ‎10-15-2020

No thats not an option here, takes too much of CPU .

thambisetty · ‎10-15-2020

why can't you decode just at search time?

[ST_NEW_DATA]
EVAL-RequestD = urldecode(Request64)

————————————
If this helps, give a like below.

Ingest-time EVAL configuration

modular input

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor