We have a number of different log types, but many of which contain similar fields. I understand the it is preferred to do extraction at search time rather than index time, and automatic field extraction either with regex or delimiters is one such option.
My goal is to extract some of these common fields so that when we are diagnosing an issue under time pressure, we have all of the commonly used fields already extracted and ready for simple search queries, rather than having to do on-the-spot regular expression searches. So far it looks like we have already quite a number of extractions enabled, although I'm not positive how or whether any of them are working.
My questions are:
Are all of these extractions active and used during search time, for any that are saved as Global or App-wide sharing mode? I need to know that the extractions I define will be automatically used by everyone without needing further configuration.
How can I find records that are not being correctly extracted? E.g. fieldname="" doesn't seem to work. I want to search for all records that don't have a particular field defined (because extraction failed or wasn't defined).
What is the behaviour when different extractions overlap in their field names? There may be several that define the name "space" on the same record type for example.
Thanks!
... View more