How to display custom indexed fields within the sidebar in fast mode?

Hendrik2509 — Mon, 18 Apr 2022 16:47:46 GMT

Hello,

I have configured a custom indexed field via transforms.conf and props.conf as following:

transforms.conf: (/apps/search/local/)

[EventID]

FORMAT = EventID::$1

REGEX = <regex expression>

WRITE_META = true

props.conf: (/apps/search/local)

[<sourcetype>]

DATETIME_CONFIG =

NO_BINARY_CHECK = true

category = custom

pulldown_type = 1

LINE_BREAKER = ([\r\n]+)

TRANSFORMS-EventID = EventID

fields.conf (etc/system/local)

[sourcetype::<sourcetype>::EventID]

INDEXED = True

The field EventID is getting indexed, I have checked it via

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats values(field)

The field will also show up at the sidebar when searching in smart mode, but not when searching in fast mode.

Is there any way to make it show up in fast mode too?

I assumed this woulde have been done by the fields.conf Stanza, but it seems not to work for me.

Re: How to display custom indexed fields within the sidebar in fast mode?

VatsalJagani — Mon, 18 Apr 2022 16:58:51 GMT

@Hendrik2509 - Fast Mode only returns default fields and fields that you are searching as per definition.

So it does not necessarily search all the indexed fields.