Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why in my ingest_time lookup - field does not ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why in my ingest_time lookup - field does not show up?
Hello colleagues,
we've implemented the ingest_time lookups but unfortunately the expected field from the configured csv-lookup does not show up in our searches.
Following implementation steps were executed:
1. props.conf & transforms.conf prepared and stored under $SPLUNK_HOME/etc/system/local on all indexer nodes within the cluster.
2. index_lookup.csv prepared and stored under $SPLUNK_HOME/etc/system/lookups on all indexer nodes within the cluster.
3. Rolling restart of the nodes
4. fields.conf prepared and deployed via SHD to our SHs
props.conf:
[aws:cloudwatch]
TRANSFORMS-define_index = define_rds_index
transforms.conf:
[define_rds_index]
INGEST_EVAL = test_index=json_extract(lookup("index_lookup.csv", json_object("account_id", account_id), json_array(index_tag)),"index_tag")
index_lookup.csv:
| account_id | index_tag |
| 886089063862 | index_platform-sandbox-dev |
fields.conf:
[test_index]
INDEXED = True
Has anyone an idea if we missed a step or something is misconfigured? Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the permissions of the lookup, if you have read permissions to the lookup, also check if this lookup has permission to view across apps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The lookup is set up on the indexer nodes. Read and write permissions are set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this makes any difference:
transforms.conf (adding double quotes around output field):
[define_rds_index]
INGEST_EVAL = test_index=json_extract(lookup("index_lookup.csv", json_object("account_id", account_id), json_array("index_tag")),"index_tag")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 Thanks for your answer! Unfortunately it doesn't solve it.
Here is an example event:
{"Average": 4.975, "Maximum": 5.0, "Minimum": 4.95, "SampleCount": 2.0, "Sum": 9.95, "Unit": "Percent", "account_id": "886089063862", "metric_dimensions": "DBInstanceIdentifier=[aric664tyxxx]", "metric_name": "CPUUtilization", "period": 120, "timestamp": "2022-03-31T15:48:00Z"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you confirm (via running btool on your sourcetype) if you've INDEXED_EXTRACTION=json?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 Do we must disable the INDEXED_EXTRACTIONS and apply manually all parsing & formatting parameter?
What’s New & Next in Splunk SOAR
Your Voice Matters! Help Us Shape the New Splunk Lantern Experience
September Community Champions: A Shoutout to Our Contributors!
