I've have downloaded from Splunkbase and applied the Linux secure TA on my Splunk instance, and I've been facing with a strange issue I can't understand.

There are a couple fieldaliases defined in it:

FIELDALIAS-rhost = rhost AS src_ip <<<<<<<<<<
FIELDALIAS-src_user = ruser AS src_user
FIELDALIAS-app = process AS app
FIELDALIAS-vendor_product = process AS vendor_product
FIELDALIAS-dest = host AS dest
FIELDALIAS-dest_host = host AS dest_host
FIELDALIAS-dest_nt_domain = kerberos_domain AS dest_nt_domain
FIELDALIAS-src = src_ip AS src <<<<<<<<<<<<<<

I've marked the problematic ones with the arrows.
So, src_ip is created just as expected. However, src is not, just only in a really few number of events. Doing a quick spotcheck, I had like 25 different values in src_ip, but only 2 in src.
My search looked like simply this:
index=ftp

Going forward, when I've selected a value from src_ip, and run my search like this:
index=ftp src_ip=1.2.3.4

then the src field was created, and it had the 1.2.3.4 value in it. (previously, it was present in src_ip but not in src)

After this, I've created a new props.conf in the local folder of the TA, and added the following line:
FIELDALIAS-rhost = rhost AS src_ip
FIELDALIAS-rhost_test= rhost AS src <<<<<<<

Now it works for 100% of the events, both src_ip and src is created with all the values.

I just can't understand what went wrong with the original configuration.
What am I missing ?