Defined field values showing no results, unless reloaded

afx — Wed, 05 Jun 2019 13:09:40 GMT

Hi, I have a totally weird situation.

The field list on the left shows me the stuff I have defined.
When I click on one of them, I see the field values. But when I then select one, the search does not show anything:

index=amp_sal message_id=AU1

Delivers no results even though Splunk just told me there are AU1 message_ids...
But when I exclude the field I see results:

index=amp_sal message_id!=AU1

And I also see results when I perform a reload in the query:

index=amp_sal 
| extract reload=t 
| search message_id=AU1

So what is going on?
Of course, there have been plenty of restarts.

This is how the fields are defined:

EXTRACT-sal = ^(?<message_id>.{3})(?<date>.{8})(?<time>.{6})(\w\w)(?<process_id>.{5})(?<task>.{5})(?<proctype>.{2})(?<term>.{8})(?<user>.{12})(?<transaction>.{20})(?<app>.{40})(?<client>.{3})(?<message>.{64})(?<src>.{20})

And the best thing is, this is not consistent for the defined fields, some work ok, some exhibit the weird behavior.
I tried to define them individually, but that did not change anything.

Any ideas?
thx
afx

Re: Defined field values showing no results, unless reloaded

DavidHourani — Wed, 05 Jun 2019 14:32:59 GMT

Hi @afx,

does this work ?

 index=amp_sal message_id="AU1"

Could be that AU1 is also a field name ? Is it the same regardless what you type for message_id ?

Re: Defined field values showing no results, unless reloaded

afx — Wed, 05 Jun 2019 14:37:56 GMT

Thanks, but that has the same empty result.
AU1 is one of many possible message Ids (and no, none of them works) that splunk shows me as available.

cheers
afx

topic Re: Defined field values showing no results, unless reloaded in Getting Data In

Defined field values showing no results, unless reloaded

Re: Defined field values showing no results, unless reloaded

Re: Defined field values showing no results, unless reloaded