Hi all, we added to the ignore_malformed to index template, and its working has intended, since when doing the query “exists:_ignored” returns results. The problem is that this field “_ignored” it’s not visible in graylog. Is there a way to show this field in graylog?
I was looking here to find out how ignore_malformed works.
What I understand is _ignoredfield is searchable with term, terms and exists queries, and is returned as part of the search hits.
Have you tired expanding your search query time?
OR
Perhaps using ALL or all including reserved fields. These are links so you just need to click them