Hi,

I have a query which I am not sure why its not working,

Assume I have the following JSON record, which has been extracted at index-time

index: network
sourcetype: devices
record: { "deviceId" : 1234, "hostName": "Router1}

1. index=network sourcetype=devices deviceId=1234 => works as expected

2. index=network TERM(sourcetype::devices) => works as expected
3. index=network TERM(sourcetype::devices) deviceId=1234 => Fails, returns 0 records
4. index=network TERM(sourcetype::devices) earliest=-7d@d => Fails, returns 0 records

5. index=network sourcetype::devices deviceId=1234 => works as expected
6. index=network sourcetype::devices deviceId::1234 => works as expected
7. index=network sourcetype::devices deviceId::1234 earliest=-7d@d => works as expected

The real question is, why do queries 3 and 4 fail, when the others work, especially when I can see that query 2 works and returns the correct data.

What impact does TERM() have in the process flow, such that earliest and = make it fail ?

cheers
-brett