If I do a UDM Search for network.email.to = "<emailaddr>" it returns a result, but if I copy the UDM for network.session_id = "<sessionid>" for that result and search on that, it returns no results for the same time window:
The log was ingested ~41 hours ago, circa 2023-10-02 at 9PM Pacific and I'm searching for it on 2023-10-04 at 2PM Pacific, but perhaps it still hasn't indexed that field for searching?
Some more information - it seems it's not just network.session_id that's not queryable, I tried all 28 fields for that record and only 3 succeeded in returning the result. These are copied directly from the result using the "Copy UDM" button so that should rule out typos, bad formatting, etc.
### Succeeds
network.email.from
network.email.to
principal.ip
### Fails
metadata.base_labels.allow_scoped_access
metadata.base_labels.log_types
metadata.base_labels.namespaces
metadata.description
metadata.event_timestamp.seconds
metadata.event_timestamp.nanos
metadata.event_type
metadata.id
metadata.ingested_timestamp.seconds
metadata.ingested_timestamp.nanos
metadata.log_type
metadata.product_event_type
metadata.vendor_name
network.email.mail_id
network.email.subject
network.session_id
network.smtp.helo
network.smtp.mail_from
network.smtp.message_path
network.smtp.rcpt_to
network.smtp.server_response
observer.hostname
principal.port
target.ip
target.port
It looks like it just took some extra time to catch up with indexing those fields. As of this morning, I seem to be able to UDM search on any of the fields in the original log.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.