Hello, has anyone worked with ingest-time lookup and familiar with it?
I'm confused on where the lookup is supposed to be. Since this is an ingest-time process, I would think it would need to be in the indexers, but the doc isn't too clear on it.
Also regarding the actual stanza syntax, I'm trying to see if this works:
lookup test field1 AS new_field1 field2 OUTPUT field3
INGEST_EVAL= field3=json_extract(lookup("test", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3")
Any help would be appreciated.
I was able to get the lookup() function working via test searches. My original lookup didn't work because it was too big at 1.5 G and I had to increase the max_mem_bytes in limits.conf.
Now, for the actual ingest-time lookup, I'm still not able to get it working with a test lookup file I created. I think my initial struggles were due to some of the fields used for lookup are not indexed fields.
I converted those fields as indexed fields using ingest_eval and also increased the ingest_max_mem_bytes as suggested by the doc.
Is there specific internal logs to watch out for as to why the ingest-time lookup failed?
I'm not having any luck digging through the _internal logs.
You should be able to see relevant messages in splunkd.log which should be visible in _internal. As you pointed out, ingest time lookups depend on fields being present when events are retrieved from the index, are you sure those fields are index time fields ?
Does the lookup have to be in $SPLUNK_HOME/etc/system/lookups?
I tried putting the lookup file and the props/transforms. conf in the indexers as an app, but that didn't work for me.
I also tried the lookup() function as an eval in test searches, but that isn't working. I was following the lookup function guide here:
Ingest-time lookups have to be on whatever server is first performing the parsing phase. Normally that will be your indexer, but could also be on a heavy forwarder (or other Splunk Enterprise if they are where the data is being ingested).
The Indexer (or other) will use their own knowledge objects, so get the lookup, props, and transforms on the server doing parsing.