My automatic lookup is not working on fields that were created via FIELDALIAS's.
I have automatic lookups in my "search" app local/props.conf running on things like "src" and "dst" fields. These are global i.e. at the top of props not defined by a sorucetype or anything. Example:
LOOKUP-auto-dst-lookup = subnets Subnet AS dst OUTPUT Description AS dst_description
LOOKUP-auto-dest-lookup = subnets Subnet AS dest OUTPUT Description AS dest_description
LOOKUP-auto-src-lookup = subnets Subnet AS src OUTPUT Description AS src_description
I also want it to work on the "dest" field that you see above, which is the field that most Splunk TAs convert their destination IP field to. Example:
# grep -R "FIELDALIAS-" /opt/splunk/etc/apps
/opt/splunk/etc/apps/Splunk_TA_cool_waf/default/props.conf:FIELDALIAS-alias_for_dst = dst as dest
/opt/splunk/etc/apps/Splunk_TA_cool_av/default/props.conf:FIELDALIAS-alias_for_ComputerName = ComputerName as dest
However, only src and dst are working, not dest. Is there some kind of order of precedence here that I'm missing, or is it impossible for the automatic lookups to work based off of field names created by FIELDALIAS's?
Edit: Seems like there is [precedence][1], and that I should edit System default to achieve what I want. However, system/default/props.conf says to NOT edit that file. So what am I supposed to do then?
[1]: http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/Wheretofindtheconfigurationfiles
↧