Hello, I have configured a custom indexed field via transforms.conf and props.conf as following: transforms.conf:  (/apps/search/local/) [EventID] FORMAT = EventID::$1 REGEX = <regex expression> WRITE_META = true   props.conf: (/apps/search/local)   [<sourcetype>] DATETIME_CONFIG =  NO_BINARY_CHECK = true category = custom pulldown_type = 1 LINE_BREAKER = ([\r\n]+) TRANSFORMS-EventID = EventID   fields.conf (etc/system/local) [sourcetype::<sourcetype>::EventID] INDEXED = True   The field EventID is getting indexed, I have checked it via   | walklex index="<index-name>" type=field | search NOT field=" *" | stats values(field)   The field will also show up at the sidebar when searching in smart mode, but not when searching in fast mode. Is there any way to make it show up in fast mode too? I assumed this woulde have been done by the fields.conf Stanza, but it seems not to work for me.   ... View more

Im trying to join the correct source hostname to my Event from where a RDP Connection was innitiated. Since the Event just provides the Source IP-Address, I want to join the hostname from my summary Index that has hostnames with the IP-Addresses which they have been assigned to over time (1m Bucket) Unfortunately its not working as expected. I build the search as following: <search string for RDP Logon Event> | bucket span=1m _time | join type=left [search index=<summary_index> | eval source_host = hostname | eval Source_Network_Address = IP | fields _time Source_Network_Address source_host] | table _time host source_host Source_Network_Address   Now what happens is, that the Source_Network_Addresses are getting matched, but it only returns the latest _time value from the summary_index by the matched Network Address for all, which ofc mostly results in a wrong hostname Why is it not also matching the _time value from the base search with the _time value from the subsearch? both _time fields are in timestamp format Thanks for helping me   ... View more