unable to search data using SPL
index=test ssp=3538
following search does return the result
index=test ssp=*3538
To resolve the issue implemented
Fields.conf
[ssp]
INDEXED = True
After adding to Fields.conf we could search using >>>index=agcy-dns ssp=3538
We noticed that field ssp case giving a double count.
To see duplicate usedvalue for filed as used
index=test ssp=3538 | eval A=mvcount(ssp) | search A=2
Issue was meta was defined ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) in default stanza for inputs.conf , for search head ( inputs.conf with _meta settings) , and for indexer indexer(inputs.conf, the same _meta settings) resulted in two values because we do not deduplicate
We suspect it become like this ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) and they were indexed twice.
It will be notice toe document it.