×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
victor1004k
Loves-to-Learn Lots
Member since: ‎05-12-2025
‎05-26-2025
Community Statistics
Posts 7
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-12-2025
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Is there a way to have INGEST_EVAL process the...

by in Getting Data In
‎05-14-2025 02:47 AM
‎05-14-2025 02:47 AM
[Solution] @buzzard192 You can also successfully handle multivalues by following these steps: 1. sample log : /opt/log/iprange.log [14/May/2025:14:22:11] systemIP="192.168.1.10,10.10.10.10"   2. lookup file :  /opt/splunk/etc/apps/myapp/lookups/systemIPLookup.csv cidr,location,region 192.168.1.0/24,Site-A,East 10.10.10.0/24, Site-B,East   3. transforms.conf file : /opt/splunk/etc/apps/myapp/local/transforms.conf [IPRange] INGEST_EVAL = systemIP=replace(_raw, ".*systemIP=\"([^\"]+)\".*","\1"), systemIP:=split(systemIP,","), JSON=lookup("IPRangeLookup", json_object("cidr", $mv:systemIP$), json_array("location", "region")) [IPRangeLookup] batch_index_query = 1 case_sensitive_match = 1 filename=systemIPLookup.csv match_type = CIDR(cidr) max_matches = 1   4. props.conf file : /opt/splunk/etc/apps/myapp/local/props.conf [(?::){0}host::*] TRANSFORMS = IPRange   5. Result   ... View more

Re: ingest_eval lookup not working

by in Getting Data In
‎05-13-2025 10:56 PM
‎05-13-2025 10:56 PM
[Solution] @Niro  You can get the desired result by modifying transforms.conf as follows: 1. /opt/splunk/etc/apps/myapp/local/transforms.conf [pan_src_user] INGEST_EVAL = src_ip=replace(_raw, ".*src_ip=([0-9.]+).*","\1"), src_user_idx=json_extract(lookup("user_ip_mapping.csv",json_object("src_ip", src_ip),json_array(src_user_idx)),"src_user")   Result: ... View more

Re: Ingest time lookup to add fields does not work

by in Getting Data In
‎05-13-2025 10:06 PM
‎05-13-2025 10:06 PM
[Solution] @patelmc  You can achieve the desired result by modifying the content below slightly. 1. /opt/splunk/etc/apps/myapp/local/transforms.conf [Active_Events] INGEST_EVAL= application=replace(_raw, ".*application=(\w+).*", "\1"), APP=json_extract(lookup("APP_COMP.csv", json_object("application", application), json_array("APP")),"APP"), COMP=json_extract(lookup("APP_COMP.csv", json_object("application", application), json_array("COMP")),"COMP")  2. Result ... View more

Re: ingest_eval works on AIO instance but differen...

by in Getting Data In
‎05-13-2025 07:55 PM
‎05-13-2025 07:55 PM
Hello, Bellow is the solution for your question. 1. /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value 1.2.3.4,myhostname  3. /opt/splunk/etc/apps/myapp/local/props.conf [mysourcetype] TRANSFORMS-host_override = host_override   4. /opt/splunk/etc/apps/myapp/local/transforms.conf [host_override] INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host, host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value") 5. Result   ... View more

Re: ingest_eval works on AIO instance but differen...

by in Getting Data In
‎05-13-2025 07:53 PM
‎05-13-2025 07:53 PM
@Skins , @moja Hello, Bellow is the solution for your question. 1.  /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value 1.2.3.4,myhostname    3. /opt/splunk/etc/apps/myapp/local/props.conf [mysourcetype] TRANSFORMS-host_override = host_override   4. /opt/splunk/etc/apps/myapp/local/transforms.conf [host_override] INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")   5. Result ... View more

Re: Ingest-time lookup

by in Getting Data In
‎05-13-2025 02:09 AM
‎05-13-2025 02:09 AM
@tah7004  OK! Bellow is the answer you talk about. 1.  $SPLUNK_HOME/etc/apps/myapp/local/props.conf TRANSFORMS-ingest_time_lookup = lookup_extract   2.  $SPLUNK_HOME/etc/apps/myapp/local/transforms.conf [lookup_extract] INGEST_EVAL= field1=replace(_raw, ".*field1=([0-9A-Za-Z.]+).*", "\1"), field2=replace(_raw, ".*field2=([0-9A-Za-Z.]+).*", "\1"), field3=json_extract(lookup("test.csv", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3")   ... View more

Re: Ingest-time lookup

by in Getting Data In
‎05-12-2025 11:02 PM
‎05-12-2025 11:02 PM
@tah7004  To use ingest-time lookup, the field you want to apply must be specified as an indexed-field. You can apply it successfully by configuring the configuration file as follows. 1. $SPLUNK_HOME/etc/apps/myapp/lookups/test.csv field1,field2,field3 value1,value2,value3 2. $SPLUNK_HOME/etc/apps/myapp/local/props.conf [test_ingest_lookup] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom pulldown_type = true TRANSFORMS-ingest_time_lookup = regex_extract_av_pairs, lookup_extract   3. $SPLUNK_HOME/etc/apps/myapp/local/transforms.conf [regex_extract_av_pairs] SOURCE_KEY = _raw REGEX = \s([a-zA-Z][a-zA-Z0-9-]+)=([^\s"',]+) REPEAT_MATCH = true FORMAT = $1::"$2" WRITE_META = true [lookup_extract] INGEST_EVAL= field3=json_extract(lookup("test.csv", json_object("field1", new_field, "field2", field2), json_array("field3")),"field3")   You can refer to another solution using INDEXED_EXTRACTIONS=json in the link below. - Splunkデータ取り込み時の絞り込み方法(リストマッチ) https://qiita.com/chobiyu/items/aec5ef3a75a8bab96546 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-26-2025 06:38 PM