For example, here is data from the last 60 minutes. Less events are returned and the index, source, and sourcetype fields are still there.
![alt text][1]
However, when I search for events from the last 24 hours, the index, source, and sourcetype fields dissappears.
![alt text][2]
[1]: /storage/temp/273273-screenshot-1.jpg
[2]: /storage/temp/273274-screenshot-2.jpg
I'm already searching in verbose mode and looking at all fields as well so this is not the issue. I think there is some limits configuration that I should set to prevent this from happening. Has anyone experienced this or have any suggestions?
↧