We have a 4.0.10 instance deployed in production and are currently investigating 4.1.2. We are noticing some changes in the way summary-indexed based saved searches work in 4.1.2.
We have enabled summary-indexing on our saved-searches and they have an optional parameter like:
report = search_report_name
The above searches work fine in 4.0.10. But in the 4.1.2 instance, all of these searches generate the report value with the the date and time appended to them. For the following search:
index=summary | top report limit=0
In version 4.0.10, we get:
report count percent report_name_1 8000 25 report_name_2 8000 25 report_name_3 8000 25 report_name_4 8000 25
But in version 4.1.2, we get:
report count percent report_name_1 09/03/2010 12:00:00 50 3 report_name_1 09/03/2010 11:00:00 50 3 report_name_1 09/03/2010 10:00:00 50 3 report_name_1 09/03/2010 09:00:00 50 3 ..... ..... .....
This behavior basically renders our queries useless, since we are specifically looking at the report name.
Appreciate any help on this.
It would appear to me that the field you are indexing (report) now has a timestamp associated with it. I would double check how you have specified that field to be included in the summary index.