I discovered today that fields created by Field Extraction Rules are available in my queries, even when they don't apply to the particular _sourceCategory.
For example, if I define a FER for `_sourceCategory=foo` which extracts `foo_status`, and I make a query for `_sourceCategory=bar | count by foo_status`, this will actually return a result instead of complaining that field `foo_status` doesn't exist.
This doesn't break anything, but I'm curious if anyone knows why this works this way. Off the top of my head, I was wondering if this is something to do with elasticsearch or lucene, though I don't actually know if sumo logic uses either of those under the hood.
All the best,
Please sign in to leave a comment.