When using NOT TERM, please keep in mind the following bug and workaround:
index=myindex NOT TERM(b=c)
will yield zero results if all the events contain “a_b=c” like this:
foo a_b=c b=d bar
The problem appears to exist only for normal searches using NOT on TERM where “b=c” exists in other places like “a_b=c”. It seems to be a post-search filter.
↧