Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 res...
See more...
Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 results - when i search for "index=index1" i got 1000 results and can see all of those are of sourcetype=mytype1 - when i search for "index=index1 | stats count by sourcetype" can see 0 statistics - when looking at those events manually - all of them are of sourcetype=mytype1. - checked job inspector, all looks good, nothing special I am admin. Full access. Searching with 15 min all all time (no difference, the same results) Sourcetype "mytype1" has been created by transforms: [set_sourcetype_1] REGEX =myhost\.pl DEST_KEY = MetaData:Sourcetype FORMAT = mytype1 WRITE_META = true No other definition of that sourcetype anywhere else (should i add it somewhere ??) What is wrong ? Why can not i search by sourcetype ? Thanks,