I have a search-time field extraction that shows up in my pick fields list and everything. The fields list is showing an event count for values that occur for that field. However, when I click on the field value, it returns 0 events.
My search-time extraction REGEX pulls out a portion of the token to return as a value. So, in my raw event, I have a token like a12345b where the value is actually 12345.
What is the problem?
There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:
[field_name]
INDEXED=False
INDEXED_VALUE=False
Note that this may impact search performance for this particular field.
You just lost reputation point for doing that.
I don't understand this question.
There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:
[field_name]
INDEXED=False
INDEXED_VALUE=False
Note that this may impact search performance for this particular field.
Its more common for this case to be hit when the extraction is based of off source, sourcetype, or host values. Not sure these comments apply in that situation.
Well bad performance is better than not working at all. But indeed to skirt the performance issue for any particular field value 1234, you'd have to always do "myWholeField="1234*" myLittleField="1234", and that makes the whole thing look pretty silly. 😃
Another workaround that could work in rare cases is to modify segmentation settings so that the partial token is indexed as a full token. But the default probably already does this for any case that you're realistically likely to run into. It would not be a bad ER to ask for segmentation on letter/digit boundaries, which I believe is currently impossible to configure.
I would strongly recommend against this solution as it will have an extremely adverse effect on search performance against this field. A much better fix is simply to search on myfield=*myvalue*
, myfield=myvalue*
, or myfield=*myvalue
, as appropriate to your data.