LOOKUP operation in default/props.conf disable FIE...

Splunk Search

Hi,

I upgrade in 7.3.3 and i have a problem with one fieldalias
I know the ASNEW settings since 7.2.4 restore old behaviour but not working when field create by OPEARTOR LOOKUP (not FIELDALIAS)

Example:

a) After extraction in transforms.conf my event is:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X

b) In default/props.conf, "action" is call one time:
[sourcetype_test]
LOOKUP-risk_vendor_action_to_action = test_action_lookup vendor_action OUTPUT action

c) In my local/props.conf, i create 2 alias:
[sourcetype_test]
FIELDALIAS-risk_action = vendor_action ASNEW action
FIELDALIAS-risk_dest = Dest_ip ASNEW dest

d) RESULT:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X, dest=X.X.X.X
=> no field "action" but create field "dest"

When i comment LOOKUP line in defaut/props.conf
=> It works!

Problem:
I don't have to modify default/props.conf (best practice) then how can we disable this in my local/props.conf

Kind Regards

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...