NOTE: SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:
-
If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.
Consider the following example. If the parameter is:
.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345
SSB indexes it only as:
.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
This corresponds to the first 59 characters. As a result, searching for:
nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345
returns all log messages that contain:
.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
-
Using wildcards might lead to the omission of certain messages from the search results.
Using the same example as above, searching for the value:
nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345
does not return any results (as the 12345 part was not indexed). Instead, you have to search for:
nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*
This, as explained above, might find multiple results.