Hi
I have a similar issue.
It seems to be connected with the search term and the use of the dedup.
search producing problem:
index=index_*
|dedup HOSTNAME POLICY_NAME
The result populates a field COMP_SUMMARY_FAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.
This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values
smells like a bug?
... View more