Hi,
I'm somewhat new to setting up the free Splunk, but have been playing with it and am super impressed so far. Unfortunately, I ran into an issue that I'm having trouble resolving, and was hoping for some assistance.
I noticed that the Props.conf documentation mentions that:
Splunk processes calculated fields
after field extraction and field
aliasing but before lookups
This is further re-inforced by the "Define calculated fields" documentation which says:
You cannot base calculated fields on
lookup fields. It won't work if you
try.
Unfortunately, I really want to do this. Specifically, I'd like to use the values that I am retrieving from the automated lookup in an evaluated field whenever querying results from a specific host.
If this cannot be done through Props.conf, I was wondering if there is another way to automatically perform a lookup followed by an eval on a specific field for a specific host?
It works brilliantly, when I manually do so in the search box, but I'd like to make the field appear automatically.
Any help would be greatly appreciated. Thanks!
... View more