Hello
i have this configuration in transforms.conf:
[adjust_flight_fields]
INGEST_EVAL = flight_id=Designator.Flight_no."_".strftime(strptime(Schedule_time_departure, "%Y-%m-%d %H:%M"), "%s"), registration_prefix:=if(isnull(registration_prefix), "", registration_prefix), Tail_no:=registration_prefix.Tail_no
i see the flight_id field under "selected fields" but when im trying to use it in search such as
index=* flight_id=dhdhd
i get no results.
also, if im searching for
flight_id !=fdfd
then im getting results without the id i selected
can someone tell me what is the problem ?
thanks
INGEST_EVAL creates index-time fields, searching for custom index-time fields is special. Either:
flight_id::dhdhd
INGEST_EVAL creates index-time fields, searching for custom index-time fields is special. Either:
flight_id::dhdhd
thanks for your answer
i tried the third option but still no results
any suggestions ?
Option 1, Option 2?
didn't try option 1. the configuration placed in transforms.conf.
is there any difference ?
option 2 : this is the only way its returning any results :
| tstats count where flight_id=BY125_1567729200 index=prod sourcetype=flights
is there a way to return the event list instead of count number ?
If tstats works then flight_id::TERM(BY125_1567729200) will work too.
well.. this is the query :
index=prod sourcetype=flights flight_id::TERM(BY125_1567729200)
and it's returning no results
Maybe it was TERM(flight_id::BY125_1567729200)
still no results
Paste the full search you are running.
index=prod sourcetype=flights TERM(flight_id::BY125_1567729200)
Mkay, and without any TERM() around it?
awesome ! thanks
please make it as answer so i will approve it
Edited the answer.