But when I am trying to use TERM for service field, values are not returning. Service field is still there in my raw summary event. Not sure what went wrong (index=prod) OR (index=opco_summary AND (...
See more...
But when I am trying to use TERM for service field, values are not returning. Service field is still there in my raw summary event. Not sure what went wrong (index=prod) OR (index=opco_summary AND (TERM(service=JUNIPER-PROD)) Even checked only with summary index and term with service not working This is my raw data for summary index -- I have extracted service from original index and given |eval service = service and then collected in summary index... 07/31/2025 04:59:56 +0000, search_name="decode query", search now 1753938000.000, info min_time=1753937100.000, info_max_time=1753938000. info_search_time=1753938000.515, uri="/wasinfkeepalive.jsp", fqdn-"p3bmm-eu.systems.uk.many-44", service="JUNIPER-PROD", vs_name="tenant/juniper/services/jsp" XXXXXX