LOOKUP operation in default/props.conf disable FIELDALIAS in local/props.conf

Path Finder


I upgrade in 7.3.3 and i have a problem with one fieldalias
I know the ASNEW settings since 7.2.4 restore old behaviour but not working when field create by OPEARTOR LOOKUP (not FIELDALIAS)


a) After extraction in transforms.conf my event is:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X

b) In default/props.conf, "action" is call one time:
LOOKUP-risk_vendor_action_to_action = test_action_lookup vendor_action OUTPUT action

c) In my local/props.conf, i create 2 alias:
FIELDALIAS-risk_action = vendor_action ASNEW action
FIELDALIAS-risk_dest = Dest_ip ASNEW dest

... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X, dest=X.X.X.X
=> no field "action" but create field "dest"

When i comment LOOKUP line in defaut/props.conf
=> It works!

I don't have to modify default/props.conf (best practice) then how can we disable this in my local/props.conf

Kind Regards

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!