cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
buzzard192
Explorer
Member since: ‎11-13-2022
‎06-17-2023
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎11-13-2022
View All

Re: INGEST_EVAL lookup on a multivalue field?

by in Getting Data In
‎06-17-2023 06:39 AM
1 Karma
‎06-17-2023 06:39 AM
1 Karma
@VatsalJagani  - thanks for your response.  I was able to figure it out.  Not sure if it is a newer feature or not, but INGEST_EVAL can handle multi-value fields, but by default it only processes the first value.  To have it process all values, you need to prefix the value with mv: so in my example above, I needed to use: $mv:systemIP$.    From the transforms.conf specification section on INGEST_EVAL: When reading from an index-time field that occurs multiple times inside the _meta key, normally the first value is used. You can override this by prefixing the name with "mv:" which returns all of the values into a "multival" object. For example, if _meta contains the keys "v::a v::b" then 'mvjoin(v,",")' returns "a" while 'mvjoin($mv:v$,",")' returns "a,b".   ... View more

Is there a way to have INGEST_EVAL process the mul...

by in Getting Data In
‎06-06-2023 07:44 PM
‎06-06-2023 07:44 PM
I have a field with the system's IP in it and am trying to add additional fields during ingest.  It works if the IP field is a single value, but if it is a multivalue field it does not.  I can successfully add the fields at search time regardless if it is a single or multivalue field. As an example, the field name is systemIP.  The CSV lookup file is: cidr,location,region 192.168.1.0/24,Site-A,East 10.10.10.0/24, Site-B,East transforms.conf: [IPRange] INGEST_EVAL = JSON=lookup("IPRangeLookup", json_object("cidr", systemIP), json_array("location", "region")) [IPRangeLookup] batch_index_query = 1 case_sensitive_match = 1 filename=systemIPLookup.csv match_type = CIDR(cidr) max_matches = 1 props.conf: [(?::){0}host::*] TRANSFORMS = IPRange   For the INGEST_EVAL: If the system only has one IP address (192.168.1.10), then JSON gets set to: {"location":"Site-A","region":"East"} If it has two IP addresses, one in each cidr, the JSON gets set to the match for the first IP in the multivalue field.   For search time EVAL: If I search: index="*" host="host-with-two-IPs" | eval JSONzzz=lookup("IPRangeLookup", json_object("cidr", systemIP), json_array("location", "region")) Then a system with one IP address, JSONzzz gets set to: {"location":"Site-A","region":"East"} If it has two IP addresses, then JSONzzz gets set to: {"location":["Site-A","Site-B"],"region":["East","East"]}   The lookup is the same between the two, but the INGEST_EVAL only ever processes the first value in the field.  Is there a way to have INGEST_EVAL process the multivalue field and return the same JSON value as the EVAL lookup? ... View more
Labels

Re: Can I create a multivalue _meta field?

by in Splunk Search
‎11-13-2022 05:46 PM
‎11-13-2022 05:46 PM
I know this is a really old post, but in case someone else comes across this, to create a multivalue _meta field, use this syntax: _meta = new_field::value1  new_field::value2 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-17-2023 10:00 AM
Karma from
View All