I have indexed file using INDEXED_EXTRACTION=csv
in props.conf
when I search index=abc field_name=123
I get results in all three modes i.e. fast/smart/verbose mode and all fields are getting extracted as expected but when I try
index=abc field_name=123|table field_name
I only get results in Verbose mode and fast/smart mode gives no results. Then I tried using fields in search still same issue.
index=abc field_name=123|fields *|table field_name
This will also give results in Verbose mode and fast/smart mode gives no results.
Kindly help on this to resolve issue .
Thanks,
INDEXED_EXTRACTION
is a field extraction done at index time. All fields are being extracted when the data is indexed and they are always available in the events. The Search Mode (Fast/Verbose/Smart) only affects what is displayed at search time. Just to clarify: I assume that with "results" you mean that when you switch to the Events tab of the search results, you see no fields when you turn/open the twistie on an event.
1. index=abc field_name=123|table field_name
- All fields in the head of the search appear in the Events, regardless of the search level. Thus, in all levels you will see index and field_name, both being highlighted (yellow). Smart and verbose will show all fields extracted at index time
2. index=abc
- In "fast" mode, you will only see index, but no additional fields will be shown.
3. index=abc fieldname=123|fields *|table field_name
- Same as in 1
Please note: The fields command affects the internal representation of the result. fields - <name>
will remove a field from the result. After fields - field_name
expanding the Events will no longer show field_name. fields + *
(equivalent to fields *
) keeps all fields that ** already are in the result** in the result (It does nothing.) Hence the +
is misleading. Adding a field that does not exist in your result ... | fields + newfield |...
will in effect remove all fields and keep the non-existent. The field list will be empty after this.
Hi ips_mandar,
I experienced this behaviour, in a past release there was also a bug so I had a different number of results between Modes!
Anyway, it's correct to have no results in Fast mode because you haven't any field for search.
It's not so clear in Smart Mode: did you tried to display results in Verbose mode, put field_name in interesting fields and then run the search again in Smart mode?
Bye.
Giuseppe