Solved: INGEST_EVAL field returning no results

sarit_s · ‎02-23-2020

Hello

i have this configuration in transforms.conf:
[adjust_flight_fields]
INGEST_EVAL = flight_id=Designator.Flight_no."_".strftime(strptime(Schedule_time_departure, "%Y-%m-%d %H:%M"), "%s"), registration_prefix:=if(isnull(registration_prefix), "", registration_prefix), Tail_no:=registration_prefix.Tail_no

i see the flight_id field under "selected fields" but when im trying to use it in search such as

index=* flight_id=dhdhd

i get no results.

also, if im searching for

flight_id !=fdfd
then im getting results without the id i selected

can someone tell me what is the problem ?

thanks

martin_mueller · ‎02-23-2020

INGEST_EVAL creates index-time fields, searching for custom index-time fields is special. Either:

define the field as indexed in fields.conf and search using =
use tstats with =
search using :: instead of =, e.g. flight_id::dhdhd

View solution in original post

martin_mueller · ‎02-23-2020

INGEST_EVAL creates index-time fields, searching for custom index-time fields is special. Either:

define the field as indexed in fields.conf and search using =
use tstats with =
search using :: instead of =, e.g. flight_id::dhdhd

sarit_s · ‎02-24-2020

thanks for your answer
i tried the third option but still no results
any suggestions ?

martin_mueller · ‎02-24-2020

Option 1, Option 2?

sarit_s · ‎02-24-2020

didn't try option 1. the configuration placed in transforms.conf.
is there any difference ?

option 2 : this is the only way its returning any results :

| tstats count where flight_id=BY125_1567729200 index=prod sourcetype=flights

is there a way to return the event list instead of count number ?

martin_mueller · ‎02-24-2020

If tstats works then flight_id::TERM(BY125_1567729200) will work too.

sarit_s · ‎02-24-2020

well.. this is the query :

index=prod sourcetype=flights flight_id::TERM(BY125_1567729200)

and it's returning no results

martin_mueller · ‎02-24-2020

Maybe it was TERM(flight_id::BY125_1567729200)

sarit_s · ‎02-24-2020

still no results

martin_mueller · ‎02-24-2020

Paste the full search you are running.

sarit_s · ‎02-24-2020

index=prod sourcetype=flights TERM(flight_id::BY125_1567729200)

martin_mueller · ‎02-24-2020

Mkay, and without any TERM() around it?

sarit_s · ‎02-24-2020

awesome ! thanks
please make it as answer so i will approve it

martin_mueller · ‎02-24-2020

Edited the answer.

INGEST_EVAL field returning no results

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor