How to create a new field while ingesting data usi...

mala_splunk_91 · ‎03-30-2023

Hi Splunkers,

I wanted to create a new field name called "app_id" and send it along data while ingesting into Splunk.
I came accross ingest-time eval option can do so.

In my case, I want to have a field like"app_id" with its values extracted using from other fields (bolded in below ) using case condition.

app_id = case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is this a right way to add above case conditions in "Ingest_Eval" field in transforms.conf?

Like,
INGEST_EVAL= app_id=case(sourcetype=="aws:ecs:service:acid:stdout", mvindex(split(host,"-"),1), isnotnull('kubernetes.labels.applicationid'), 'kubernetes.labels.applicationid', isnotnull(applicationid) , applicationid, isnotnull(aws_account_id), aws_account_id, 1=1 , "NA")

Is there any alternate solution on this?

Please recommend.

Thanks,

Mala S

richgalloway · ‎03-30-2023

Yes, that is the right method for using INGEST_EVAL to create a field. An important thing to note is the expression cannot reference any search-time fields (because they don't exist, yet).

What results do you get from that?

---
If this reply helps you, Karma would be appreciated.

How to create a new field while ingesting data using ingest-time eval?

props.conf

transforms.conf

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform