Hi,
I noticed that in the data model editor in general you cannot overwrite fields that exist in a) the events or b) the parent object of the data model object you want to define that field.
I would consider this as a bug (since you can do overwrite existing fields in a regular search) and it is not limited to the Enterprise Security app.
In general overwriting fields is a nice (the only?) way to apply multiple transfomations (eval, lookups, rex, etc.) on a field to 'enhance' its value.
We are using Splunk 6.1.2. Is this fixed in a newer version?
... View more