I have some sources that are coming in as json, and I am experiencing odd behavior where I cannot search on a particular field, but I can only find the value when doing a search against the _raw data.
So for example, I have a field let's say "cluster", and I see it is also extracted just fine in the "Interesting fields" on the lefthand side. One of the values we'll say is "cluster-name-A".
If I search in the query bar for:
cluster="cluster-name-A" sourcetype=mysourcetype index=myindex
I get no results, however if I just do a blanket search:
cluster-name-A sourcetype=mysourcetype index=myindex
My expected results come back fine.
What can I investigate here to see why it will not let me use the fieldname in our searches?
... View more