How to create a new field while ingesting data usi...

mala_splunk_91 · ‎03-30-2023

Hi Splunkers,

I wanted to create a new field name called "app_id" and send it along data while ingesting into Splunk.
I came accross ingest-time eval option can do so.

In my case, I want to have a field like"app_id" with its values extracted using from other fields (bolded in below ) using case condition.

app_id = case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is this a right way to add above case conditions in "Ingest_Eval" field in transforms.conf?

Like,
INGEST_EVAL= app_id=case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is there any alternate solution on this?

Please recommend.

Thanks,

Mala S

richgalloway · ‎03-30-2023

Yes, that is the right method for using INGEST_EVAL to create a field. An important thing to note is the expression cannot reference any search-time fields (because they don't exist, yet).

What results do you get from that?

---
If this reply helps you, Karma would be appreciated.

How to create a new field while ingesting data using ingest-time eval?

props.conf

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation