Yea, I forget message: field isn’t searchable like the rest:
message:
If you are interested in the messages that contain “|ERROR|” over time it is best to break out the information with extractors and/or pipeline as the data comes in.
