Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ingest_eval works on AIO instance but different results when applied at the HF tier

Skins
Path Finder
‎02-18-2024 03:33 PM

I have syslog events being written to a HF locally via syslog-ng - these events are then consumed via file reader and the IP address in the log name is extracted as host.

I now want to run an ingest_eval on the ip address and use a lookup to change the host

If i run the cmd from search i get the required result:

index=... | eval host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

this replaces host with "host_value"

I have this working on an AIO instance with the following config below:

Now adding to HF tier : /opt/splunk/etc/apps/myapp/lookups/lookup.csv
lookup has global access and export = system
host,host_value
1.2.3.4, myhostname

props.conf:
[mysourcetype]
TRANSFORMS-host_override = host_override


transforms.conf:
[host_override]
INGEST_EVAL =host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

When applied on the HF (restarted)  i see some of the hostnames are changed to "localhost" the others remain unchanged (but this is due to the config not working OR the data coming from another HF with the test config not applied

Any ideas - thx

Labels (1)
Labels
0 Karma
Reply

victor1004k
Loves-to-Learn
2 weeks ago

@Skins , @moja Hello, Bellow is the solution for your question.

1.  /opt/log/syslog-ng-sample.log

May 13 15:09:09 1.2.3.4 sim: logging for test

 

2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv

host,host_value
1.2.3.4,myhostname

 

 3. /opt/splunk/etc/apps/myapp/local/props.conf

[mysourcetype]
TRANSFORMS-host_override = host_override

 

4. /opt/splunk/etc/apps/myapp/local/transforms.conf

[host_override]
INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

 

5. Result

ingest-time-lookup-for-syslog-ng.jpg

0 Karma
Reply

moja
New Member
‎08-12-2024 07:34 AM

@Skins hi) I faced the same limitation - the inability to use Ingest-time lookup on hw, did you manage to solve this issue?

0 Karma
Reply

victor1004k
Loves-to-Learn
2 weeks ago

Hello, Bellow is the solution for your question.

1. /opt/log/syslog-ng-sample.log

May 13 15:09:09 1.2.3.4 sim: logging for test

 

2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv

host,host_value
1.2.3.4,myhostname


 3. /opt/splunk/etc/apps/myapp/local/props.conf

[mysourcetype]
TRANSFORMS-host_override = host_override

 

4. /opt/splunk/etc/apps/myapp/local/transforms.conf

[host_override]
INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,  host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")


5. Result

victor1004k_0-1747191294744.jpeg

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top