This was a bug in ES 3.0.0 which was addressed in ES 3.0.1.
This was a bug in ES 3.0.0 which was addressed in ES 3.0.1.
Hi,
I noticed that in the data model editor in general you cannot overwrite fields that exist in a) the events or b) the parent object of the data model object you want to define that field.
I would consider this as a bug (since you can do overwrite existing fields in a regular search) and it is not limited to the Enterprise Security app.
In general overwriting fields is a nice (the only?) way to apply multiple transfomations (eval, lookups, rex, etc.) on a field to 'enhance' its value.
We are using Splunk 6.1.2. Is this fixed in a newer version?
We are also noticing the same on the SH's which also have ES installed. has any one fout out the solution to fix this? We are running 6.1.5 on SHP.