this search: index=flowspaces sourcetype=auditlog produces search results that are not displayed in the ui.
if fields are forced, events are displayed.
Argh.
I mistakenly overwrote a newer props.conf with one with a bad eval on _time.
That'll do it every time...
Argh.
I mistakenly overwrote a newer props.conf with one with a bad eval on _time.
That'll do it every time...
The captcha wont let me edit my OP. sorry.
this search:
index=flowspaces sourcetype=auditlog
produces search results that are not displayed in the ui.
if fields are forced, events are displayed.
e.g.
index=flowspaces sourcetype=auditlog | fields extracted-field1 extracted-field2
This is a big problem for some very large search queries which rely on that sourcetype - the necessary data is available but not showing up in the searches and makes all saved searches useless.