Hi at all,
I have a very strange behaviour in one of my search:
- I extracted a field from a raw as a part of a word: "2016-04-13 12.12.45 ZZ1234567890123456789" and I need to take only the first 8 letters after the date "ZZ123456";
- I use the following regex "^.{20}(?\w{8})", it runs, I can extract my field and shot it in my tables.
the problem is when I want to search using my field because if i write:
index=xxx sourcetype=xxx Myfield="ZZ123456"
I haven't any result,
instead if I write
index=xxx sourcetype=xxx | search Myfield="ZZ123456"
I find the correct log.
The problem seems to be in the field extraction because if I extract the full string "^.{20}(?\w{21})" the search runs in both the situations, instead if I want to use only a part of it the search doesn't run.
Now I'm modifying all my searches but it's a long job that I'd like to avoid
Anyione has an idea of how to intervene?
Thank you in advance.
Bye.
Giuseppe
↧