Archive2

LOOKUP operation in default/props.conf disable FIELDALIAS in local/props.conf

secuc2r83
Path Finder

Hi,

I upgrade in 7.3.3 and i have a problem with one fieldalias
I know the ASNEW settings since 7.2.4 restore old behaviour but not working when field create by OPEARTOR LOOKUP (not FIELDALIAS)

Example:

a) After extraction in transforms.conf my event is:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X

b) In default/props.conf, "action" is call one time:
[sourcetype_test]
LOOKUP-risk_vendor_action_to_action = test_action_lookup vendor_action OUTPUT action

c) In my local/props.conf, i create 2 alias:
[sourcetype_test]
FIELDALIAS-risk_action = vendor_action ASNEW action
FIELDALIAS-risk_dest = Dest_ip ASNEW dest

d) RESULT:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X, dest=X.X.X.X
=> no field "action" but create field "dest"

When i comment LOOKUP line in defaut/props.conf
=> It works!

Problem:
I don't have to modify default/props.conf (best practice) then how can we disable this in my local/props.conf

Kind Regards

0 Karma
Reply