I have a summary index that is being populated correctly via a scheduled query (or so it would seem). Here's the scheduled query:
index=web sourcetype=weblog | sitimechart span=1day count BY eventtype usenull=f
If I lookup all of the entries in the summary index, I see events that contain the 2 available eventtypes (http_allow and http_deny). However, running a timechart query against the summary index only produces data with NULL eventtype:
index=summary | timechart span=1day count by orig_eventtype
(if I include the usenull=f option then I get no data returned). Running the analogous timechart query against the web index will produce the correct result:
index=web_proxy | timechart span=1day count by eventtype usenull=f
Any ideas why my summary index appears to be ignoring the eventtype?
Thank you!
... View more