I have read the documentation about breaker characters, but within our organization there is disagreement about when they actually come into play in the main search. The docs don't say anything abou...
See more...
I have read the documentation about breaker characters, but within our organization there is disagreement about when they actually come into play in the main search. The docs don't say anything about it either way, but some say we must use quotes around sourcetype, for example: index=iis sourcetype="http_err_logs" status=500 ...etc It goes without saying that they're needed within literal search phrases; the text of a specific error message, for example. But do they really also apply to comparisons for standard fields like index or sourcetype? As another example, we have sourcetypes with names like "WinEventLog:Application" and "WinEventLog:System" and some are saying that colon becomes a breaker which leads to a search of the entire raw event data. We also have index names with underscores, and so on. As a result, at this point we're playing it safe and quoting anything that has breaker characters, but is there any documentation that describes where they're actually applied or not?