Field matches not working properly
I have 2 hosts that I'm interested in: "uv1s822:" and "uv2s822:"
this filter should and used to work: | where host matches "*s822:" but now it only shows the latter.
The former does show up when I do: | where host matches "uv1s*"
so it's there.
-
hi Azriel,
this seems a bit strange for sure. using matches the string is case sensitive so that is one thing to check. your filter would not match S822 for example.
if you have parsed out the host field in a field extraction rule you will get better performance in the query using host=uv1s* instead, and doing this as a wild-carded keyword it's case insensitive as well, for example:
_sourcecategory=something host=uv1s* | ... more query
one other thing to check is in a matching query add something like this just to check if there is say a trailing space in the host value:
| concat("'",host,"'") as check_host
| count by check_host -
the host field is in a field extraction rule. I've tested and verified that the host is not including trailing spaces. It is strange that when I do a query for uv1s822: The display field on left panel does not show. It does however show for uv2s822:, this is very strange since we've used this for over a year now and never had this issue. I'll attach some screenshots to show the display field thing.
uv1s822:
uv2s822:
query for uv*:
-
when I do the wildcard search other hosts with "uv" shows up, I'm thinking something is probably wrong with the uv1s8222 server. Thanks for your help Rick. Our guy have been doing some restores on that server so I'm not sure, but I don't think any more time on this will yield anything useful.
Please sign in to leave a comment.
Comments
3 comments