Hi,
I have a field extraction situaton that I've never come across before, and hoping someone can help me.
We have a number of fields setup to do search-time extractions and transformations. One of the fields is named "action", which looks at the values in the field and transforms them. The transformation works, when you do a query that doesn't directly query that field, but if you query the field directly, it isn't found. However, if you wildcard it, the field is found.
Here's my transforms.conf:
[stonesoft_action_blocked]
REGEX = \|(Connection_Discarded)\|
FORMAT = action::blocked
[stonesoft_action_teardown]
REGEX = \|(Connection_Closed(?:-Abnormally)?)\|
FORMAT = action::teardown
[stonesoft_action_allowed]
REGEX = action=(Allow|Permit)
FORMAT = action::allowed
If I query "index=myIndex", then the field "action" field appears under "Interesting Fields", with each option - teardown, allowed, and blocked". However, if I click on any of these values, and they get added to the search, it now comes back with zero events. So, "index=myIndex action=blocked" return nothing. If I enter that directly in the search (rather than clicking on it from the event), it also returns zero events.
If wildcard the search, and type `"index=myIndex action=*blocked*"`, then I get events returned.
Hope this makes sense. Appreciate any advise.
↧