I am storing a certain dataset in summary index which has some events with fields where the values are '=' or '=='. When searched, these events does not such fields.
I managed to replicate this by doing this,
| makeresults
| eval testval1 = "="
| eval testval2 = "=="
| eval testval3 = "-"
| eval testval4 = "--"
| eval testval5 = "*"
| eval testval6 = "/"
| table testval*
| summaryindex index="a_summary_index" name="testval"
which returns,
| testval1 | testval2 | testval3 | testval4 | testval5 | testval6 | testval7 | testval8 |
| = | == | - | -- | * | / | + | ++ |
index="a_summary_index" source="testval"
| table testval*
returns,
| testval1 | testval2 | testval3 | testval4 | testval5 | testval6 | testval7 | testval8 |
| | | - | -- | * | / | + | ++ |
(where the testval1 and testval2 are null). The raw event looks like this,
testval1="=", testval2="==", testval3="-", testval4="--", testval5="*", testval6="/", testval7="+", testval8="++"
The sourcetype is by default (as all other configurations) is stash.
Field extractions configuration is,
[stash_extract]
DELIMS = ",", "="
CAN_OPTIMIZE = false
MV_ADD = true
CLEAN_KEYS = false
I was wondering if there will be any implications on other search features if the above stanza is modified (since this is default configuration). Any feedbacks or suggestions are much appreciated.
