Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ingest_eval works on AIO instance but different results when applied at the HF tier

Skins
Path Finder
‎02-18-2024 03:33 PM

I have syslog events being written to a HF locally via syslog-ng - these events are then consumed via file reader and the IP address in the log name is extracted as host.

I now want to run an ingest_eval on the ip address and use a lookup to change the host

If i run the cmd from search i get the required result:

index=... | eval host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

this replaces host with "host_value"

I have this working on an AIO instance with the following config below:

Now adding to HF tier : /opt/splunk/etc/apps/myapp/lookups/lookup.csv
lookup has global access and export = system
host,host_value
1.2.3.4, myhostname

props.conf:
[mysourcetype]
TRANSFORMS-host_override = host_override


transforms.conf:
[host_override]
INGEST_EVAL =host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

When applied on the HF (restarted)  i see some of the hostnames are changed to "localhost" the others remain unchanged (but this is due to the config not working OR the data coming from another HF with the test config not applied

Any ideas - thx

Labels (1)
Labels
0 Karma
Reply

victor1004k
Loves-to-Learn Everything
‎05-13-2025 07:53 PM

@Skins , @moja Hello, Bellow is the solution for your question.

1.  /opt/log/syslog-ng-sample.log

May 13 15:09:09 1.2.3.4 sim: logging for test

 

2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv

host,host_value
1.2.3.4,myhostname

 

 3. /opt/splunk/etc/apps/myapp/local/props.conf

[mysourcetype]
TRANSFORMS-host_override = host_override

 

4. /opt/splunk/etc/apps/myapp/local/transforms.conf

[host_override]
INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

 

5. Result

ingest-time-lookup-for-syslog-ng.jpg

0 Karma
Reply

moja
New Member
‎08-12-2024 07:34 AM

@Skins hi) I faced the same limitation - the inability to use Ingest-time lookup on hw, did you manage to solve this issue?

0 Karma
Reply

victor1004k
Loves-to-Learn Everything
‎05-13-2025 07:55 PM

Hello, Bellow is the solution for your question.

1. /opt/log/syslog-ng-sample.log

May 13 15:09:09 1.2.3.4 sim: logging for test

 

2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv

host,host_value
1.2.3.4,myhostname


 3. /opt/splunk/etc/apps/myapp/local/props.conf

[mysourcetype]
TRANSFORMS-host_override = host_override

 

4. /opt/splunk/etc/apps/myapp/local/transforms.conf

[host_override]
INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,  host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")


5. Result

victor1004k_0-1747191294744.jpeg

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...