Hello,

I am currently in the process of normalizing some fields from some DNS logs we are receiving an I am running into an issue with field aliases. Essentially, I have a few automatic lookups that run when a search is done on this index that provide some enrichment details. One of this details is a username which I am simply trying to map to either "src_user" or "user". For the time being, I am creating an alias to set this value based on a field from the lookup (the field name is "username"). However, I went enter the below in the props.conf file on the SH I am not seeing the field created:

[dns_data]
FIELDALIAS-dns_username = username AS user

And when I try and search for the field within this index I am getting back blank values. The username is not part of the event so I can't perform an extract so I thought field aliasing would be best here. I know there is an order of precedence with the way that Splunk processes this search time extractions, but is it possible to perform a field alias on field that was created from an automatic lookup? Or does anyone have any suggestions on a better way to make this work?