NOTE: SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:

  • If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.

    Consider the following example. If the parameter is:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

    SSB indexes it only as:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

    This corresponds to the first 59 characters. As a result, searching for:

    nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

    returns all log messages that contain:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
  • Using wildcards might lead to the omission of certain messages from the search results.

    Using the same example as above, searching for the value:

    nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

    does not return any results (as the 12345 part was not indexed). Instead, you have to search for:

    nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

    This, as explained above, might find multiple results.