@tah7004 To use ingest-time lookup, the field you want to apply must be specified as an indexed-field. You can apply it successfully by configuring the configuration file as follows. 1. $SPLUNK_HOM...
See more...
@tah7004 To use ingest-time lookup, the field you want to apply must be specified as an indexed-field. You can apply it successfully by configuring the configuration file as follows. 1. $SPLUNK_HOME/etc/apps/myapp/lookups/test.csv field1,field2,field3
value1,value2,value3 2. $SPLUNK_HOME/etc/apps/myapp/local/props.conf [test_ingest_lookup]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
TRANSFORMS-ingest_time_lookup = regex_extract_av_pairs, lookup_extract 3. $SPLUNK_HOME/etc/apps/myapp/local/transforms.conf [regex_extract_av_pairs]
SOURCE_KEY = _raw
REGEX = \s([a-zA-Z][a-zA-Z0-9-]+)=([^\s"',]+)
REPEAT_MATCH = true
FORMAT = $1::"$2"
WRITE_META = true
[lookup_extract]
INGEST_EVAL= field3=json_extract(lookup("test.csv", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3") You can refer to another solution using INDEXED_EXTRACTIONS=json in the link below. - Splunkデータ取り込み時の絞り込み方法(リストマッチ) https://qiita.com/chobiyu/items/aec5ef3a75a8bab96546