https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431020#M5615 <P>Hi,</P> <P>We have an heavy forwarder in every location.<BR /> At the HF have an indexed field (meta) called "site-id" that gets added to each event via props/transforms (Regex = .*)</P> <P>If I now do a search:</P> <PRE><CODE>index="my_index" site-id="*" (verbose, 24 h) </CODE></PRE> <P>As a result, I get a count of 122565 events and if I clock on the field "site-id" it shows a distribution of 100% and only 1 value "my_value"</P> <P>Now, the strange behavior starts:</P> <P>If I click on the field and add it to the search with the one value that exists</P> <PRE><CODE>index="my_index" site-id="my_value" (verbose, 24 h) </CODE></PRE> <P>I only get 47 results</P> <P>If I do</P> <PRE><CODE>index="my_index" site-id="my_value*" (verbose, 24 h) </CODE></PRE> <P>I get the 122565 results again</P> <P>There are no hidden character or anything at that values I exported it and looked at the character coding only "LF"</P> <P>I even tried the following two searches to see if there is any difference:</P> <PRE><CODE>index="my_index" site-id="*"| strcat site-id ":TEST" new_site_id | search new_site_id="my_value:TEST" | stats count by new_site_id gives me the result result: count 122565 index="my_index" site-id="my_value"| strcat site-id ":TEST" new_site_id | search new_site_id="my_value:TEST" | stats count by new_site_id </CODE></PRE> <P>gives me the result: count 47</P> <PRE><CODE>search ... | fieldsummary site-id gives a count of 122565 a singe value of my_value and a dc=1 </CODE></PRE> <P>Why can't I search for site-id="my_value" and get the 122565 results?</P> <P>Please any ideas?</P> <P>Best<BR /> Michael</P> Fri, 07 Dec 2018 08:44:47 GMT socconsulting 2018-12-07T08:44:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431020#M5615 <P>Hi,</P> <P>We have an heavy forwarder in every location.<BR /> At the HF have an indexed field (meta) called "site-id" that gets added to each event via props/transforms (Regex = .*)</P> <P>If I now do a search:</P> <PRE><CODE>index="my_index" site-id="*" (verbose, 24 h) </CODE></PRE> <P>As a result, I get a count of 122565 events and if I clock on the field "site-id" it shows a distribution of 100% and only 1 value "my_value"</P> <P>Now, the strange behavior starts:</P> <P>If I click on the field and add it to the search with the one value that exists</P> <PRE><CODE>index="my_index" site-id="my_value" (verbose, 24 h) </CODE></PRE> <P>I only get 47 results</P> <P>If I do</P> <PRE><CODE>index="my_index" site-id="my_value*" (verbose, 24 h) </CODE></PRE> <P>I get the 122565 results again</P> <P>There are no hidden character or anything at that values I exported it and looked at the character coding only "LF"</P> <P>I even tried the following two searches to see if there is any difference:</P> <PRE><CODE>index="my_index" site-id="*"| strcat site-id ":TEST" new_site_id | search new_site_id="my_value:TEST" | stats count by new_site_id gives me the result result: count 122565 index="my_index" site-id="my_value"| strcat site-id ":TEST" new_site_id | search new_site_id="my_value:TEST" | stats count by new_site_id </CODE></PRE> <P>gives me the result: count 47</P> <PRE><CODE>search ... | fieldsummary site-id gives a count of 122565 a singe value of my_value and a dc=1 </CODE></PRE> <P>Why can't I search for site-id="my_value" and get the 122565 results?</P> <P>Please any ideas?</P> <P>Best<BR /> Michael</P> Fri, 07 Dec 2018 08:44:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431020#M5615 socconsulting 2018-12-07T08:44:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431021#M5616 <P>When you run this search, did you see any other additional sourcetypes/sources/hosts...??</P> <PRE><CODE>index="my_index" site-id="my_value*" (verbose, 24 h) </CODE></PRE> Fri, 07 Dec 2018 20:11:56 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431021#M5616 prakash007 2018-12-07T20:11:56Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431022#M5617 <P>No just the expected one.<BR /> We now even tried to change the added metafield from site-id to site_id to see if the "-" was not accepted by splunk but that did not change anything. We than added a fields.conf for the search head and the indexer cluster like:</P> <P>[site_id]<BR /> INDEXED = true<BR /> INDEXED_VALUE = false</P> <P>[site-id]<BR /> INDEXED = true<BR /> INDEXED_VALUE = false</P> <P>We tried with and without the "INDEXED_VALUES" attribute without any difference.</P> Tue, 29 Sep 2020 22:22:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431022#M5617 socconsulting 2020-09-29T22:22:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431023#M5618 <P>SOLUTION:</P> <P>The field was not known to the search head in the context of the search app / system<BR /> So we added a metadata export description on the search head inside our fields.conf</P> <P>my_fields_app/metadata/default.meta <BR /> []<BR /> access = read : [ * ], write : [ admin ]<BR /> export = system</P> <P>Now everything works like expected</P> Tue, 29 Sep 2020 22:23:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-does-this-indexed-field-search-give-the-wrong-results-when/m-p/431023#M5618 socconsulting 2020-09-29T22:23:07Z