I have a search-time extracted field defined in props.conf:
[foo]
EXTRACT-fields = msg=\".{20}(?<newfield>.{6})
The sample log:
Wed Feb 27 17:12:03 EST 2019 msg="020202P032929055801 FINDME
I can see "FINDME" as a value of newfield listed in "field explorer" on UI while searching "sourcetype=foo"
When I search "sourcetype=foo newfield=FINDME", no result is found.
However, I can get results while searching:
sourcetype=foo newfield=*FINDME
How can I fix this issue?
This issue should be able to resolved by adding fields.conf on all the indexers:
fields.conf
[newfield]
INDEXED_VALUE = *<VALUE>
It's not working if you put fields.conf on search head.
This issue should be able to resolved by adding fields.conf on all the indexers:
fields.conf
[newfield]
INDEXED_VALUE = *<VALUE>
It's not working if you put fields.conf on search head.