We have a key value pair where the value begins with a newline '\n'. It used to not have that newline and old searched did the following to access the field:
index=test MSGTXT="JOBNAME*"
This would return all events with MSGTXT value starting with JOBNAME. A new release of the data changed things to start with a newline "\n" character. So I naturally just tried all of the following scenarios thinking one of them would work:
index=test MSGTXT="\nJOBNAME*"
index=test MSGTXT="\\\\nJOBNAME*"
The following works:
index=test MSGTXT="*JOBNAME*"
But the performance is so bad its not reasonable.
I set up a field extraction
TXT\":\"\\n(?<Job_Name>\w{1,8})
thinking that would fix the issue. So I try the following:
index=test Job_Name="JOBNAME"
Which returns no results. So I try:
index=test | where Job_Name="JOBNAME"
and that works.
So I believe that there is something about a newline character that is the first character of a key value and that is being searched for on initial search criteria.
Here is the raw text I am testing with:
{"DATETIME":"2015-07-15 11:13:05.46","SYSLOGSYSTEMNAME":"XXX2","JOBID":"","MSGNUM":"SE","MSGTXT":"\nJOBNAME ENDED AT N1 MAXCC=0000',LOGON,USER=(WWCXXX)"}
Any ideas on what might be wrong or if this is potentially a bug?
... View more