Hi
We have a 4.0.10 instance deployed in production and are currently investigating 4.1.2. We are noticing some changes in the way summary-indexed based saved searches work in 4.1.2.
We have enabled summary-indexing on our saved-searches and they have an optional parameter like:
report = search_report_name
The above searches work fine in 4.0.10. But in the 4.1.2 instance, all of these searches generate the report value with the the date and time appended to them. For the following search:
index=summary | top report limit=0
In version 4.0.10, we get:
report count percent
report_name_1 8000 25
report_name_2 8000 25
report_name_3 8000 25
report_name_4 8000 25
But in version 4.1.2, we get:
report count percent
report_name_1 09/03/2010 12:00:00 50 3
report_name_1 09/03/2010 11:00:00 50 3
report_name_1 09/03/2010 10:00:00 50 3
report_name_1 09/03/2010 09:00:00 50 3
.....
.....
.....
This behavior basically renders our queries useless, since we are specifically looking at the report name.
Appreciate any help on this.
-Ranga
Maybe you could post some of the searches and a few lines of data here.
Sure, do you want me to upload some files? Also, why is this a change in behavior in v4.1. The queries work fine in v4.0.
It would be helpful to see the summary queries, the reporting queries, and a sample of the data in question.
It would appear to me that the field you are indexing (report) now has a timestamp associated with it. I would double check how you have specified that field to be included in the summary index.
That field was specified as part of the "summary-index" configuration. From the UI, there is a field to add a parameter under the summary-indexing section of the scheduled search.