I am trying to overwrite a field that is boolean. I created a table to convert 1/0 to IN/OUT so that the data is more human readable.
Below is my props.conf entry.
[source::mysource]
LOOKUP-mylookup = lookup_table direction_inbound AS direction_inbound OUTPUT direction AS direction_inbound
I have tried:
LOOKUP-mylookup = lookup_table direction_inbound AS direction_inbound OUTPUTNEW direction AS direction_inbound
with no positive results. Transforms.conf has the path to the csv. The lookup works if I create a new field, but I want to overwrite the field that is already there.
Any idea what I might be missing.
Not sure when it was introduced, but you can now overwrite fields:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Lookup
Already answered in: http://answers.splunk.com/answers/3989/overwriting-input-field-in-lookup