 
					
				
		
Hi. I tried the ingest-time eval documentation at (single enterprise instance):
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/IngestEval
However I could find the new field from the "| table eval_user" pipe. Does anyone have any experience in making it work? Thanks a lot
 
					
				
		
You can only do this if the city field exists as an indexed field, which almost certainly in your case, it does not.  To test, try this search:
index=_* sourcetype=testlog city::*
If this returns no events the EITHER your sourcetype is not testlog (so your props.conf stanza header is wrong) OR city is not an indexed field.  You can use something like this instead:
INGEST_EVAL = eval_city=lower(replace(replace(_raw, SuffixRegExHere), PrefixRegExHere, "")
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		What's your purpose of wanting to create an index time eval? There's more benefit of doing it at search time
 
					
				
		
@richgalloway
Thanks for your reply
$ pwd
/Applications/Splunk/etc/system/local
$ cat transforms.conf
[myeval]
INGEST_EVAL = eval_city=lower(city)
$ cat props.conf
[testLog]
TRANSFORMS = myeval
$ cat fields.conf
[eval_city]
INDEXED = True
Here's my search
sourcetype=testLog
time=2019-01-27T15:23:02.664129+09:00 eventName=purchase userId=8304 city="London" item=food price=4200
And here's trying to get the ingest-time eval field
sourcetype=testLog | table userId, city, eval_city
but eval_city is blank
Any idea? Thanks a lot!
 
		
		
		
		
		
	
			
		
		
			
					
		What version of Splunk are you using?
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Have you also added to fields.conf?
[eval_city]
INDEXED = True
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		What are your props.conf and transforms.conf settings? What is the full query you're using to find the field?
