Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

ingest_eval works on AIO instance but different results when applied at the HF tier

Skins
Path Finder
‎02-18-2024 03:33 PM

I have syslog events being written to a HF locally via syslog-ng - these events are then consumed via file reader and the IP address in the log name is extracted as host.

I now want to run an ingest_eval on the ip address and use a lookup to change the host

If i run the cmd from search i get the required result:

index=... | eval host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

this replaces host with "host_value"

I have this working on an AIO instance with the following config below:

Now adding to HF tier : /opt/splunk/etc/apps/myapp/lookups/lookup.csv
lookup has global access and export = system
host,host_value
1.2.3.4, myhostname

props.conf:
[mysourcetype]
TRANSFORMS-host_override = host_override


transforms.conf:
[host_override]
INGEST_EVAL =host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

When applied on the HF (restarted)  i see some of the hostnames are changed to "localhost" the others remain unchanged (but this is due to the config not working OR the data coming from another HF with the test config not applied

Any ideas - thx

Labels (1)
Labels
0 Karma
Reply

victor1004k
Loves-to-Learn Everything
‎05-13-2025 07:53 PM

@Skins , @moja Hello, Bellow is the solution for your question.

1.  /opt/log/syslog-ng-sample.log

May 13 15:09:09 1.2.3.4 sim: logging for test

 

2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv

host,host_value
1.2.3.4,myhostname

 

 3. /opt/splunk/etc/apps/myapp/local/props.conf

[mysourcetype]
TRANSFORMS-host_override = host_override

 

4. /opt/splunk/etc/apps/myapp/local/transforms.conf

[host_override]
INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")

 

5. Result

ingest-time-lookup-for-syslog-ng.jpg

0 Karma
Reply

moja
New Member
‎08-12-2024 07:34 AM

@Skins hi) I faced the same limitation - the inability to use Ingest-time lookup on hw, did you manage to solve this issue?

0 Karma
Reply

victor1004k
Loves-to-Learn Everything
‎05-13-2025 07:55 PM

Hello, Bellow is the solution for your question.

1. /opt/log/syslog-ng-sample.log

May 13 15:09:09 1.2.3.4 sim: logging for test

 

2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv

host,host_value
1.2.3.4,myhostname


 3. /opt/splunk/etc/apps/myapp/local/props.conf

[mysourcetype]
TRANSFORMS-host_override = host_override

 

4. /opt/splunk/etc/apps/myapp/local/transforms.conf

[host_override]
INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,  host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")


5. Result

victor1004k_0-1747191294744.jpeg

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...