Splunk Enterprise

Eval Expression filter ingestion actions

vishalduttauk
Communicator

I am ingesting data from the Splunk Add on for O365. I want to use the Eval Expression filter within an ingestion action to filter what email addresses we ingest data from. Sampling the data is easy but the next bit isn't. I drop events where the RecipientAddress is not splunk.test@test.co.uk.


Creating an | eval within a search is simple but creating something that works for a filter using eval expression,  which drops Events is where i am struggling.

Our Exchange/Entra team are having problems limiting the online mailboxes the Splunk application which is why I am looking at this workaround.

Ignore the application thats tagged as we are using Enterprise 9.3.4. Can you help?

Labels (2)
0 Karma
1 Solution

PrewinThomas
Builder

@vishalduttauk 

In a regular search, RecipientAddress is extracted at search time, so you can use it directly in eval. But in Ingest Actions, you're working with the raw event stream before field extractions happen.

But you can use this as workaround to drop events that contain this email address.

NOT match(_raw, "splunk\.test@test\.co\.uk")

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

The typical issue when working in the ingest pipeline is that you don't have search-time field extracted at this point. You must work on raw event contents.

0 Karma

livehybrid
Ultra Champion

Hi @vishalduttauk 

Can you share the eval you created which works in the search and I can check this against Ingest Actions.

:glowing_star: Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

vishalduttauk
Communicator

I might have a solution now by using this statement:

NOT match(_raw,"splunk.test@test.co.uk")

0 Karma

vishalduttauk
Communicator
Hi @livehybrid, Here is the eval which works on the search | eval match=if(RecipientAddress="splunk.test@vwfs.co.uk",1,0) | search match=1
0 Karma

PrewinThomas
Builder

@vishalduttauk 

In a regular search, RecipientAddress is extracted at search time, so you can use it directly in eval. But in Ingest Actions, you're working with the raw event stream before field extractions happen.

But you can use this as workaround to drop events that contain this email address.

NOT match(_raw, "splunk\.test@test\.co\.uk")

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

vishalduttauk
Communicator

Thank you Prewin that has worked

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...