Let me reply for this thread since I have the exactly same issue as dongyao0001.
The problem is that I cannot see the eventtype field on the result even though we could query eventtype.
For example, I have two eventtypes which are
index=mine "ExceptionReason\": Error01\""
index=mine "ExceptionReason\": Another Error02\""
I can see the eventtype JIRA-001 on my result but cannot see JIRA-002.
Trying what you suggested, I can see the result for
index=mine eventtype="JIRA-001" | stats count by eventtype
But I cannot see the result for
index=mine eventtype="JIRA-002" | stats count by eventtype
I also tried deleting JIRA-002 and create JIRA-003 with the exactly same search query but it didn't work.
I know it sounds weird, but it is happening.
FYI, this gives me the empty fields:
index=mine eventtype="JIRA-002" | table eventtype
For your information, I could see the result for
Also I could get the result using this query which does not make sense.
eventtype="JIRA-002" | where isnull(eventtype)
... View more