Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

LOOKUP operation in default/props.conf disable FIELDALIAS in local/props.conf

secuc2r83
Path Finder
‎01-07-2020 11:44 AM

Hi,

I upgrade in 7.3.3 and i have a problem with one fieldalias
I know the ASNEW settings since 7.2.4 restore old behaviour but not working when field create by OPEARTOR LOOKUP (not FIELDALIAS)

Example:

a) After extraction in transforms.conf my event is:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X

b) In default/props.conf, "action" is call one time:
[sourcetype_test]
LOOKUP-risk_vendor_action_to_action = test_action_lookup vendor_action OUTPUT action

c) In my local/props.conf, i create 2 alias:
[sourcetype_test]
FIELDALIAS-risk_action = vendor_action ASNEW action
FIELDALIAS-risk_dest = Dest_ip ASNEW dest

d) RESULT:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X, dest=X.X.X.X
=> no field "action" but create field "dest"

When i comment LOOKUP line in defaut/props.conf
=> It works!

Problem:
I don't have to modify default/props.conf (best practice) then how can we disable this in my local/props.conf

Kind Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...