Anyone would have an idea of the execution order of EXTRACT, REPORT, EVAL, LOOKUP and ALIAS in the props.conf?
I understand that REPORT-policydate will be executed before REPORT-policyname because of the ASCII order of the class, but how about:
I have an ALIAS for instance that depends on a field extracted in a REPORT but it doesn't seem to work.
We see this:
Important: Field aliasing is performed after key/value extraction but before field lookups. Therefore, you can specify a lookup table based on a field alias. This can be helpful if there are one or more fields in the lookup table that are identical to fields in your data, but have been named differently. For more information read "Configure CSV and external lookups" and "Configure KV store lookups" in this manual.
This implies that it happens before search-time extractions (
REPORT-) so you would be best off changing your
EXTRACT or you could perform a second
REPORT- like this:
[MyFieldAlias] SOURCE_KEY=MyField REGEX=^(?<MyFieldAlias>.*)$
Hello, thank you very much for your help. And nice finding.
I received this order of execution as well from a Splunk person, that confirms what you said:
Thank you very much again.