Splunk Cloud Platform

Eval-ingest and lookup command in Splunk Cloud

chriso_01
Engager

Hello,

Anyone knows if we can use eval-ingest with lookup command in Splunk Cloud?

The problem is that in Splunk Cloud we can only add configuration via custom app in SH. 

Eval-ingest in general working, but when I'm trying to use lookup command I'm receiving error that lookup was not found. I guess that problem is in this that lookup is on SH level, not on IDX level.

but maybe I'm doing something wrong.

Fields.conf - ok

props.conf - ok

transforms.conf - ok for simple eval-ingest without lookup command

 

Example from transforms.conf

[test_lookup_manual2]
INGEST_EVAL = test_lookup=json_extract(lookup("test.csv",json_object("hostname_test",hostname_test), json_array(value)),"value")

 

lookup added in directory lookups, permissions are ok, visible in splunk from every context

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/IngestLookups

  • If the data is being ingested into Splunk Enterprise, then in the transforms.conf file, you can configure an ingest-time eval that uses the lookup() eval function. This configuration method is only supported in Splunk Enterprise, not Splunk Cloud Platform. For more information, see the rest of the current documentation page.
  • If you have access to the Edge Processor solution, you can use an Edge Processor to apply lookups to your data before routing that data to Splunk Enterprise or Splunk Cloud Platform. For more information, see About the Edge Processor solution and Enrich data with lookups using an Edge Processor in the Use Edge Processors manual.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/IngestLookups

  • If the data is being ingested into Splunk Enterprise, then in the transforms.conf file, you can configure an ingest-time eval that uses the lookup() eval function. This configuration method is only supported in Splunk Enterprise, not Splunk Cloud Platform. For more information, see the rest of the current documentation page.
  • If you have access to the Edge Processor solution, you can use an Edge Processor to apply lookups to your data before routing that data to Splunk Enterprise or Splunk Cloud Platform. For more information, see About the Edge Processor solution and Enrich data with lookups using an Edge Processor in the Use Edge Processors manual.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...