https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412483#M5554 <P>Yes, it working. Using * at the end <CODE>index=testindex asset = "up%20asset*"</CODE> also works. <BR /> This also works <CODE>..| where like(asset, "up%asset")</CODE><BR /> But we cannot use <CODE>where</CODE> condition because we want to filter out as many assets as possible before the first pipe.<BR /> And we cannot use wildcards which may include other assets. We just want to be sure to filter only this one.<BR /> The problem here is for the same data it works in 6.4.5</P> Fri, 29 Jun 2018 09:27:44 GMT immortalraghava 2018-06-29T09:27:44Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412477#M5548 <P>Hi,</P> <P>I upgraded my system from Splunk 6.4.5 to Splunk 7.<BR />I found an issue with the search behavior.<BR />Search:</P> <PRE><CODE> index=testindex | where asset = "up%20asset" </CODE></PRE> <P>The above search produces results in 6.4.5 but not in 7.0.4<BR />Has anything changed under the hood?<BR />Any help is appreciated.</P> Mon, 15 Jun 2020 20:30:35 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412477#M5548 immortalraghava 2020-06-15T20:30:35Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412478#M5549 <P>So you are looking for a space in a URL in the events?</P> Thu, 28 Jun 2018 19:50:33 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412478#M5549 cpetterborg 2018-06-28T19:50:33Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412479#M5550 <P>Just to confirm your running this in smart mode?</P> <P>Also the asset field is extracted as you expected?</P> Fri, 29 Jun 2018 01:19:43 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412479#M5550 gjanders 2018-06-29T01:19:43Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412480#M5551 <P>Can you try : <BR /> <CODE>index=testindex asset = "up*asset"</CODE> <BR /> or<BR /> <CODE>..| where like(asset, "up%asset")</CODE></P> <P>If no result, can you check if <CODE>asset</CODE> is extracted in the fields bar, by running only <CODE>index=testindex</CODE>, make sure you are running it in the smart mode.<BR /> If it's there then check the values to make sure <CODE>up..</CODE> is there</P> Fri, 29 Jun 2018 01:27:21 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412480#M5551 amiftah 2018-06-29T01:27:21Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412481#M5552 <P>No, I am looking for the events with the exact asset value. That is how it is indexed. I can see on the left side event count for this asset when I run just <CODE>index=testindex</CODE>. But when I try to filter it does not bring the results. For the same event data and same search, it works in 6.4.5</P> Fri, 29 Jun 2018 09:19:48 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412481#M5552 immortalraghava 2018-06-29T09:19:48Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412482#M5553 <P>Yes, Asset field is extracted. Actually, I just select the asset from the left sidebar after running <CODE>index = testindex</CODE><BR /> But for same data and same asset, we get results in 6.4.5<BR /> Tried in all modes nothing happens. It does not work in the current 7.0.4 version.</P> Fri, 29 Jun 2018 09:23:24 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412482#M5553 immortalraghava 2018-06-29T09:23:24Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412483#M5554 <P>Yes, it working. Using * at the end <CODE>index=testindex asset = "up%20asset*"</CODE> also works. <BR /> This also works <CODE>..| where like(asset, "up%asset")</CODE><BR /> But we cannot use <CODE>where</CODE> condition because we want to filter out as many assets as possible before the first pipe.<BR /> And we cannot use wildcards which may include other assets. We just want to be sure to filter only this one.<BR /> The problem here is for the same data it works in 6.4.5</P> Fri, 29 Jun 2018 09:27:44 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412483#M5554 immortalraghava 2018-06-29T09:27:44Z https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412484#M5555 <P>Can you try with version <CODE>7.0.3</CODE>, I don't know I find this version the most stable..</P> Fri, 29 Jun 2018 11:26:53 GMT https://community.splunk.com/t5/Installation/Issues-with-Splunk-search-behavior-after-upgrading-from-version/m-p/412484#M5555 amiftah 2018-06-29T11:26:53Z