Searching using a field extraction rule field fails when used AFTER json auto

Follow

Online Samples Qualtrics

• June 26, 2019 20:51

Our logs are a formatted JSON string. We are attempting to search using a field extracted using a field extraction rule. The field correctly shows up when we do a simple search. However, after using `json auto` it fails to find data. Here are two example queries that represent what we are seeing. The field `dc` is the extracted rule.

1. This request fails to find any results ```_sourceCategory={source} "/samples?ownerIds=" | json auto | where !isNull(%"responsetime") | where dc = "{dc value}"```
2. The request finds results ```_sourceCategory=ta-cop-{source} "/samples?ownerIds=" | where dc = "{dc value}" | json auto | where !isNull(%"responsetime")```.

Notice how the only difference is the order of where the `where dc="g1-iad"` is located.

0

• Official comment

  

  Raghu Murthy

  • June 27, 2019 17:10

  Devon,

   

  Thanks for bringing this to our attention this issue with the "json auto" operator where it overrides a FER extracted field value with a null value for a field that does not exist in the raw message. We are addressing this issue shortly

   

  Best,

  Raghu

  Sumo Logic Inc.

  Comment actions Permalink

Please sign in to leave a comment.