I am developing an apps, where I would like to normalize the value of a field coming from a lookup.
From the documentation of props.conf, it is clear that it is not possible to have an eval after a lookup. Though it is not really clear to me if the value from a lookup can be reused in another lookup.
For example in my props.conf I am trying to do something like this:
LOOKUP-01 = mykvstore kvstoref1 as eventf1 OUTPUT kvstoref2 as eventf2
LOOKUP-02 = mycsvlookup csvf1 as eventf2 OUTPUT csvf2 as eventf3
I extract a value from mykvstore and save it in event field eventf2. Then I want to use the value of the event field eventf2 to retrieve my normalized value and save it in eventf3. I am not able to have this example working but I can't find if this is because I am using wrong syntax, or if this is just not supported in Splunk.
What I really want, it is to have this normalization handled by the apps, and not having to do extra transformation when executing the search.
... View more