I have added Field Extraction Rules to one of my source categories, and yet any search which filters on any of the fields that my rule extracts returns 0 results, despite the fact that there are many matching log entries.
For example, the simple search returns 0 results:
_sourceCategory=myCategory and RequestHost = "www.myhost.com"
The field extraction rule for myCategory includes RequestHost and I see some evidence the field exists because if I change 'RequestHost' to 'SomethingElse' the query fails instead of just returning 0 results.
If I do an ad-hoc query that matches the Field Extraction Rule, I see that 'RequestHost' is populated and many entries contain the value "www.myhost.com". In fact, even if I replace the equality test with `RequestHost matches "*"`, I still get 0 results.
I'm not sure how to debug this or to easily view which fields are being extracted and what their values are. Is there an easy way to do this?
Also note that if I do the following, instead, the query works as expected:
_sourceCategory=myCategory | json parse field=_raw "ClientRequestHost" RequestHost | where RequestHost = "www.myhost.com"
But again, the following returns nothing:
_sourceCategory=myCategory and RequestHost = "www.myhost.com" | json parse field=_raw "ClientRequestHost" RequestHost
I would be satisfied except that I'm not sure the where clause is using the extracted field or doing the parsing on the fly, which is not what I want as this would defeat the purpose of Field Extraction Rules.
Thank you in advance for any information you could provide to help me.
Please sign in to leave a comment.