dedup Removes Field From Event List
I am using Logger Version 126.96.36.19938.0. Is anyone else observing that using dedup <fieldName> in searches removes the contents of that field in the resulting event list?
For example, using dedup sourceAddress results in the sourceAddress field to be empty on all search results of that particular query.
The Addresses are still shown in the Field Summary and are evaluated correctly, just not shown any more in the results list.
It has nothing to do with the "keepevents" or "keepempty" parameters, I have checked those. It also has nothing to do with empty fields encountered during the evaluation, it is the same behaviour even when ensuring fields are NOT NULL.
Any further ideas?
indeed it seems to be related to a custom field set. When I use "all" or even "minimal" predefined field sets, the fields are still shown. Do you have any idea why this is happening and how to prevent it?
It gets even worse. When I have the dedup statement, I cannot use the deduped fields any more in custom field sets. Once I remove them from the currently selected field set (right column, where you can click on the left arrow to remove them), they disappear completely and are not shown in the corresponding field selection any more (e.g. no more "sourceAddress" under "source").
I cannot find any hint in the manual about this. It seems weird to say the least.