I'm indexing some syslog data from UDP. I'm using a transform on the data to set the sourcetype of data from certain hosts like this:
[vmware_set_sourcetype]
SOURCE_KEY=MetaData:Host
DEST_KEY=MetaData:Sourcetype
REGEX=^host::vmware-\d+.example.com$
FORMAT=vmware_syslog
That works just fine. When I do a search by host, I see the data as expected, and the sourcetype is vmware_syslog. So, for example, this search returns 30,399 results:
host=vmware-* earliest=-10m
This search, however, returns none:
sourcetype=vmware_syslog earliest=-10m
It's strange, because on my search homepage, I can page through the source types, find vmware_syslog, and click on it to do a search, but I still get no results.
I just want to make sure I'm not missing something before I file a support case.
... View more