I'd like to do a field extraction on these fields:
proto=udp/67 proto=tcp/http proto=udp/9060
Should become protocol/service
If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.
I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?