Getting Data In

How to create a new field while ingesting data using ingest-time eval?

mala_splunk_91
Explorer

Hi Splunkers, 

I wanted to create a new field name called "app_id" and send it along data while ingesting into Splunk.
I came accross ingest-time eval option can do so.

In my case, I want to have a field like"app_id" with its values extracted using from other fields (bolded in below ) using case condition.

app_id = case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is this a right way to add above case conditions in "Ingest_Eval" field in transforms.conf?

Like,
INGEST_EVAL= app_id=case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is there any alternate solution on this?

Please recommend.

Thanks,

Mala S

Labels (2)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, that is the right method for using INGEST_EVAL to create a field.  An important thing to note is the expression cannot reference any search-time fields (because they don't exist, yet).

What results do you get from that?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...