We ended up with an operation index that has two hosts per event, let's say aaa
and bbb
.
Searching for index=shortland host=aaa
brings results but index=shortland host=bbb
does not.
What can it be?
If that search does not work, then your host
field does really have both values. We will never get to the bottom of this unless you post an event. and your props.conf settings.
Hi @ddrillic
H can achieve with OR ,IN
EG:- host=aaa or host=bbb
host in ("aaa","bbb")
If my answer helped please accept answer or up vote
Thank you @harishalipaka.
Can you share a sample (sanitized) event, please?
No worries - speaking with the sales engineer who explained that one host
value was indexed at index time and another one was discovered at search time. Apparently, only the index time value is searchable when searching against the host
field.
For the record, a similar case at How to handle search query when json data has host field?