Below is my props.conf configuration:
[]
FIELDALIAS-0_abc = field1 as field2
FIELDALIAS-pqr = field2 as field3
FIELDALIAS-xyz = field2 as field4
Current behavior:
- field1 and field2 are coming from REPORT.
- field1 and field2 are being extracted but not field3 and field4.
- I'm using Splunk 7.3.1 version.
- The FIELDALIAS works based on the lexicographic order of class names. So, 0 comes before p and x in lexicographical order it should correctly alias field3 and field4. This is what I'm expecting.
Can anyone tell me why it is not working? Is it expected? Is there any doc related to it?
I've some calculated fields (EVAL) based on field3 and field4, so I cannot extract field3 and field4 using EVAL as all EVAL executed in parallel. Is there any way I can solve the issue.
↧