+2If I do a UDM Search for network.email.to = "<emailaddr>" it returns a result, but if I copy the UDM for network.session_id = "<sessionid>" for that result and search on that, it returns no results for the same time window:
The log was ingested ~41 hours ago, circa 2023-10-02 at 9PM Pacific and I'm searching for it on 2023-10-04 at 2PM Pacific, but perhaps it still hasn't indexed that field for searching?
Best answer by MNS
It looks like it just took some extra time to catch up with indexing those fields. As of this morning, I seem to be able to UDM search on any of the fields in the original log.
+2Some more information - it seems it's not just network.session_id that's not queryable, I tried all 28 fields for that record and only 3 succeeded in returning the result. These are copied directly from the result using the "Copy UDM" button so that should rule out typos, bad formatting, etc.
### Succeeds
network.email.from
network.email.to
principal.ip
### Fails
metadata.base_labels.allow_scoped_access
metadata.base_labels.log_types
metadata.base_labels.namespaces
metadata.description
metadata.event_timestamp.seconds
metadata.event_timestamp.nanos
metadata.event_type
metadata.id
metadata.ingested_timestamp.seconds
metadata.ingested_timestamp.nanos
metadata.log_type
metadata.product_event_type
metadata.vendor_name
network.email.mail_id
network.email.subject
network.session_id
network.smtp.helo
network.smtp.mail_from
network.smtp.message_path
network.smtp.rcpt_to
network.smtp.server_response
observer.hostname
principal.port
target.ip
target.port
+2It looks like it just took some extra time to catch up with indexing those fields. As of this morning, I seem to be able to UDM search on any of the fields in the original log.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.