For anyone actually trying to replace host, as Steve was asking about.
Here is one way to workaround the issue without doing all the FIELDALIAS stuff:
... | eval ip=host | lookup dnslookup ip OUTPUT host AS hostname | eval host=coalesce(hostname,host) | eval ip=null()
If you have to use this in a number of your searches, you should consider making a macro for this
Note that if you already have the field ip , you can simply swap it out for a different (unused) field name. This approach should allow any failed lookups to preserve their original host value, which is what you want if your are dealing with a mix of hostnames and ip address in the host field.
If you have a small list of hosts that you are renaming (like in this example, where due to a setup issue Steve now has historical data with ip address instead of hostnames) then it probably makes more sense to make a new static lookup table (make a small .csv file in the lookups directory), rather than using an external lookup script, since using a static lookup file would be much faster.
... View more