Hello,
I have configured a custom indexed field via transforms.conf and props.conf as following:
transforms.conf: (/apps/search/local/)
[EventID]
FORMAT = EventID::$1
REGEX = <regex expression>
WRITE_META = true
props.conf: (/apps/search/local)
[<sourcetype>]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = custom
pulldown_type = 1
LINE_BREAKER = ([\r\n]+)
TRANSFORMS-EventID = EventID
fields.conf (etc/system/local)
[sourcetype::<sourcetype>::EventID]
INDEXED = True
The field EventID is getting indexed, I have checked it via
| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats values(field)
The field will also show up at the sidebar when searching in smart mode, but not when searching in fast mode.
Is there any way to make it show up in fast mode too?
I assumed this woulde have been done by the fields.conf Stanza, but it seems not to work for me.
