Ingest Eval Examples

INGEST_EVAL examples is a reference and teaching app that demonstrates how to transform data at index time in Splunk using INGEST_EVAL, CLONE_SOURCETYPE, REGEX, ADD_META, REPEAT_MATCH, and related mechanisms in props.conf and transforms.conf. The app ships with eighteen worked examples, each including sample log data, a fully commented configuration, and a markdown writeup that explains the problem, the approach, the resulting events, and example SPL searches. Examples are grouped into five categories: - Datetime problems: conflicting datetime formats on one sourcetype; stitching a date from a filename to a time from the event. - Enrichment: dynamic extraction of indexed fields from attribute=value logs, event-length metadata for license back-billing, dropping unwanted INDEXED_CSV columns, enriching splunkd.log and splunkd_access.log, pre-processing JSON-Docker logs, and validated IPv4 extraction from unstructured text. - Security: simple masking via double-ingestion, and advanced SHA1 masking with a reversible map event for privileged search. - Platform extension: converting license_usage.log into metrics, exporting and importing events between Splunk instances, sharding data with splitByIndexKeys, and measuring ingestion volumes before onboarding new data. - Complex forwarding: splitting forwarder output across multiple TCP streams to exceed the per-pipeline throughput ceiling, and fine-grained selective routing to multiple targets. The app also includes an extended INGEST_EVAL reference that documents behavior absent from the public Splunk documentation, adapted from internal developer notes: _time versus $pd:_time$, multivalue handling with $mv:field$, the := assignment operator, explicit type coercion ([int], [float32-sf]), and guidance on high-cardinality string storage pitfalls. This is a reference app. It is intended for Splunk administrators, consultants, and data engineers who need to solve real ingestion and enrichment problems, and who want a runnable, self-contained set of patterns they can adapt to their own deployments.