I have a field that I know is an indexed field because I can specify on my search myfield::somevalue and get results. After reading some of the documentation and other questions on the forum I would expect that I should alternatively be able to specify myfield=somevalue and get the same results albeit not as efficient however I am not seeing that. The results I get when I use = is a subset of the results I get when I use the indexed ::. This has an impact on my ability to use this field as filter with a subsearch as it appears from my results that the subsearch is using the = form instead of ::.
So I really have 2 questions:
1) Why am I seeing different results with = vs :: ?
2) Can you use a subsearch with the indexed :: form? such as index=myindex sourcetype=mysource [search index=anotherindex somefield=somevalue | table anotherfield]
Say the subsearch returns a value like 1452 my search seems to be index=myindex sourcetype=mysource anotherfield=1452
Is there a way to make that index=myindex sourcetype=mysource anotherfield::1452 with the subsearch?
... View more