Question:
For some reason, I'm unable to have the "_sourcehost"/"Source Host" field listed in the search query with the result. It shows up only if I check the field in the left panel on the Search UI browser. What could be causing this?
Problem:
This is an expected behaviour as per this which any field that you have used for inclusion will be shown in the query output and rest will strip out except the system internal fields (_collector,_source,_sourcehost etc) which is why the behaviour never changes even with or without whitelist field statement and you still continue to see the result without the source host field.
You can run a test to understand this behaviour and run dummy query like below where you have extracted two fields b and a and then only whitelist field b and as per the result, you will see this parsed out field b appearing in the resulting output and further stripping field a.
pod="USE4" _sourceCategory=*ICAI*Catalina* and "Preparing for process recovery for engine"
| "hello" as b
|"test" as a
| fields b
For more info: https://help.sumologic.com/docs/search/search-query-language/search-operators/fields/
Comments
0 comments
Please sign in to leave a comment.