Getting Data In

Ingest time lookup to add fields does not work

patelmc
Explorer

I need to use federated search which does not support search time lookup at this time in splunk 8.2.2.1.

I came across splunk doc to add fields at ingest time (index time) based on ingest time lookup. 

https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/IngestLookups

What I am trying to do is during event ingestion I am looking for value of field "application" and match that with the CSV file as shown below and trying to add fields APP and COMP based on application value. 

e.g. if incoming event has application=Linux add APP field with value 9001 and COMP field as 8001.

But it does not work.  Please help. 

Here are the following files I created as documented. 

more /opt/splunk/etc/system/lookups/APP_COMP.csv
application,APP,COMP
Linux,9001,8001
Console,9002,8002
Windows,9003,8003

more /opt/splunk/etc/system/local/props.conf
 [access_combine_wcookie]
TRANSFORMS = Active_Events

/opt/splunk/etc/system/local/transforms.conf
[Active_Events]
INGEST_EVAL= APPCOMP=lookup("APP_COMP.csv", json_object("application", application), json_array("APP", "COMP"))

more /opt/splunk/etc/system/local/fields.conf
[APP]
INDEXED = True
[COMP]
INDEXED = True

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...