Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to ingest-time eval _indextime field?

oshirnin
Path Finder
‎10-15-2019 01:00 AM

Hello!

I have a distributed deployment of Splunk Enterprise. All my UFs send raw events to two HFs, these send cooked data to three-node IDX cluster. My search interface is three-node SH cluster. I plan to use a few ingest-time eval fields, first of all I tested how it works, placing:

props.conf to HFs:

props.conf
------------------------------------------------------------
[airwatch_iis_flogs]
TRANSFORMS = ingest-eval-rule-size_bytes, ingest-eval-rule-orig_host, ingest-eval-rule-orig_time

transforms.conf to HFs:

transforms.conf
------------------------------------------------------------
[ingest-eval-rule-size_bytes]
INGEST_EVAL = size_bytes=len(_raw)

[ingest-eval-rule-orig_host]
INGEST_EVAL = orig_host=upper(host)

[ingest-eval-rule-orig_time]
INGEST_EVAL = orig_time=_time

fields.conf to SHs:

fields.conf
------------------------------------------------------------
[size_bytes]
INDEXED = True

[orig_host]
INDEXED = True

[orig_time]
INDEXED = True

I put props.conf/transforms.conf to HFs (not to IDXs) as these servers process all the raw events and cook the data for indexers. This configuration works like a charm: querying 

index=* sourcetype=airwatch_iis_flogs

I get the events having expected indexed fields size_bytes (calculated), orig_host (uppercase) and orig_host (match _time).

Now, field of interest to me is _indextime. I want to index the latency:

transforms.conf
 ------------------------------------------------------------
 [ingest-eval-rule-latency_sec]
 INGEST_EVAL = latency_sec=_indextime-_time

I also put the relevant changes to props.conf and fields.conf, but unfortunately this configuration doesn't work. Is it maybe because _indextime is empty while cooking events on HFs, and actually filled up while writing events to disk on indexers (not sure, where IndexQueue lives - on IDXs or HFs)?

What should I do to use this _indextime field in ingest-time eval - maybe put:

outputs.conf
------------------------------------------------------------
sendCookedData = false

to my HFs, move all props.conf/transforms.conf to IDXs? I feel myself, there are more drawbacks then benefts from this decision.

Are there any more limitations using _indextime ingest-time eval?

0 Karma
Reply

BDein
Explorer
‎01-20-2022 03:17 AM

Hi Guys,

This is a very interesting topic, for which I've made an app, not only for HF's but also for the IDX's, however I do see some challenges here...
First of all I took a little different approach in props.conf, as I used the [default] stanza, with the aim to hit ALL events coming in.
It works - to a curtain extend, but it's really wired (to me) how, as most UF's sends their data through the HF's, and some directly to the IDX's, and for some strange reason, that I've spend quite some time investigating - without a solution (nor explanation) yet.

Some hosts "hits" the transforms (props) and gets the new values, and some don't, even though the all pass the same HF's.

Of those host sending directly to the IDX's none of them "hits" the transforms.

transforms.conf
---------------------------
[ingest-eval-rule-timeskew]
INGEST_EVAL = timeSkew=time() - _time
WRITE_META=true

[ingest-eval-rule-evtsize]
INGEST_EVAL = evtSizeB=len(_raw)
WRITE_META=true

[ingest-eval-rule-tierhost]
INGEST_EVAL = tierHost=replace(splunk_server,"\..*","")
WRITE_META = true

props.conf
---------------------------
[default]
TRANSFORMS = ingest-eval-rule-timeskew, ingest-eval-rule-evtsize, ingest-eval-rule-tierhost

fields.conf
---------------------------
[timeSkew]
INDEXED = True

[evtSizeB]
INDEXED = True

[tierHost]
INDEXED = True

Does anyone of you have an idea about:

  1. Why none of the data parsing direct to the IDX's don't "hit" this transform?
  2. Why some hosts (UF's) sending data through the HF's "hits" and some don't?
0 Karma
Reply

BDein
Explorer
‎01-20-2022 05:41 AM

I actually just got this one into place by simply adding a wildcard to props.conf, so it now looks like this:

[default]
TRANSFORMS = ingest-eval-rule-timeskew, ingest-eval-rule-evtsize, ingest-eval-rule-tierhost

[(?::){0}*]
TRANSFORMS = ingest-eval-rule-timeskew, ingest-eval-rule-evtsize, ingest-eval-rule-tierhost

 

And now all - except for a few internal sourcetypes, it's great.

0 Karma
Reply

norbert_hamel
Communicator
‎02-08-2020 03:05 AM

Hi @oshirnin ,
the eval statement now() is not available for INGEST_EVAL. But you can use time(), which does pretty much the same and which can be used for INGEST_EVAL. So please try the following:

[ingest-eval-rule-latency_sec]
INGEST_EVAL = latency_sec= time() - _time

I had a similar requirement yesterday and tested that successfully. This will also give more accuracy than _indextime, since time() includes subseconds, which are not available in _indextime, potentially leading to negative latency values when _indextime and _time are in the same second.

Cheers

Reply

season88481
Contributor
‎07-08-2020 03:18 PM

Please ignore my question. Heavy Forwarder seems able to get time() as well. My Splunk version is 7.3.1

0 Karma
Reply

season88481
Contributor
‎07-08-2020 03:07 PM

Hi norbert_hamel

 

I try to get time() in my Heavy Forwarder, doesn't seem working.

Are you putting the ingest_eval at your heavy forwarder as well?

And what is your Splunk version

Many thanks.

Cheers,

S

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2019 06:18 AM

I believe it's not possible to reference the _indextime field at index time since it is not defined until after all other props and transforms are processed. You'll need to calculate latency at search time.
I'm waiting to be corrected on this.

---
If this reply helps you, Karma would be appreciated.
Reply

oshirnin
Path Finder
‎10-17-2019 06:24 AM

Hello, @richgalloway ! I feel the same. I think it would be enough to ingest-eval now() but strange - it doesn't work! Do you maybe see errors in the configs?

transforms.conf
------------------------------------------------------------
[ingest-eval-rule-time_now]
INGEST_EVAL = time_now = now()

props.conf
------------------------------------------------------------
[airwatch_iis_flogs]
TRANSFORMS = ingest-eval-rule-time_now

fields.conf
------------------------------------------------------------
[time_now]
INDEXED = True
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2019 08:07 AM

Why ingest now()? _indextime is already available and it pretty much the same thing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...