I have indexed file using
INDEXED_EXTRACTION=csv in props.conf
when I search
index=abc field_name=123 I get results in all three modes i.e. fast/smart/verbose mode and all fields are getting extracted as expected but when I try
index=abc field_name=123|table field_name
I only get results in Verbose mode and fast/smart mode gives no results. Then I tried using fields in search still same issue.
index=abc field_name=123|fields *|table field_name
This will also give results in Verbose mode and fast/smart mode gives no results.
Kindly help on this to resolve issue .
INDEXED_EXTRACTION is a field extraction done at index time. All fields are being extracted when the data is indexed and they are always available in the events. The Search Mode (Fast/Verbose/Smart) only affects what is displayed at search time. Just to clarify: I assume that with "results" you mean that when you switch to the Events tab of the search results, you see no fields when you turn/open the twistie on an event.
index=abc field_name=123|table field_name- All fields in the head of the search appear in the Events, regardless of the search level. Thus, in all levels you will see index and field_name, both being highlighted (yellow). Smart and verbose will show all fields extracted at index time
index=abc - In "fast" mode, you will only see index, but no additional fields will be shown.
index=abc fieldname=123|fields *|table field_name - Same as in 1
Please note: The fields command affects the internal representation of the result.
fields - <name> will remove a field from the result. After
fields - field_name expanding the Events will no longer show field_name.
fields + * (equivalent to
fields *) keeps all fields that ** already are in the result** in the result (It does nothing.) Hence the
+ is misleading. Adding a field that does not exist in your result
... | fields + newfield |... will in effect remove all fields and keep the non-existent. The field list will be empty after this.
I experienced this behaviour, in a past release there was also a bug so I had a different number of results between Modes!
Anyway, it's correct to have no results in Fast mode because you haven't any field for search.
It's not so clear in Smart Mode: did you tried to display results in Verbose mode, put field_name in interesting fields and then run the search again in Smart mode?