https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372708#M109610 <P>Thanks for this, you were right the 51 was a false positive.</P> Fri, 17 Nov 2017 09:00:46 GMT jrfrost 2017-11-17T09:00:46Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372705#M109607 <P>I have a field extraction that gets the message number from the raw message string</P> <P><STRONG>.{22}\s<A href="https://community.splunk.com/?d%7B2%7D" target="_blank">0-9</A></STRONG></P> <P>The message string is in the format of </P> <P>2017-11-15T13:32:53,915 4790018 299939553102122275000175000000000022 6834527000103_0_007500002610100_100850055_00045010000010000_1___________________</P> <P>The field is available and has values of 01, 02, 09, 11, 12, 19, 51, 52, 79, 90, 91 etc. but I cannot search for all values.</P> <P>If I search for message number 51 I get results<BR /> <STRONG>index=main msg_number=51</STRONG></P> <P>If I search for message number 52 no results are returned.<BR /> <STRONG>index=main msg_number=52</STRONG></P> <P>If I use the following search <STRONG>index=main | eval msg_number=msg_number*1 |search msg_number=52</STRONG>, I get results</P> <P>I have no idea why search for some numbers does not work.</P> Tue, 29 Sep 2020 16:49:02 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372705#M109607 jrfrost 2020-09-29T16:49:02Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372706#M109608 <P>Hi @jrfrost,</P> <P>can you please try this search?</P> <PRE><CODE>| index=main | rex max_match=0 field=_raw ".{22}\s[0-9](?&lt;msg_number&gt;\d{2})" | search msg_number=YOUR_NUMBER </CODE></PRE> <P>You can Set up your transforms.conf and props.conf files to configure multivalue extraction.</P> <P>In transforms.conf, add the following.</P> <PRE><CODE>[mv-type] REGEX = .{22}\s[0-9](?&lt;msg_number&gt;\d{2}) MV_ADD = true </CODE></PRE> <P>In props.conf for your sourcetype or source, set the following.</P> <PRE><CODE>REPORT-type = mv-type </CODE></PRE> <P>Thanks</P> Thu, 16 Nov 2017 17:11:18 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372706#M109608 kamlesh_vaghela 2017-11-16T17:11:18Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372707#M109609 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/81997">@jrfrost</a> My thoughts are that the value you are searching for in "msg_number" is not a separate token in the raw event text but part of a token string in the raw message string from which it is extracted. Events are tokenized based on rules from segmenters.conf, and the value (msg_number) is probably not its own token but just part of a token. Try setting the INDEXED_VALUE in fields.conf on the SH to account for the field-extraction settings.</P> <P>drop this exact configuration onto your search heads to fix the issue: <BR /> $SPLUNK_HOME/etc/system/local/fields.conf <BR /> [msg_number] <BR /> <CODE>INDEXED_VALUE=*&lt;VALUE&gt;*</CODE> </P> <P>restart splunk</P> <P>The lispy search will then look something like <CODE>*msg_number*</CODE> </P> <P>Its likely that the events being returned when you search msg_number=51 is a false positive and contain some other tokens in the raw event text containing 51.</P> Tue, 29 Sep 2020 16:49:27 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372707#M109609 rphillips_splk 2020-09-29T16:49:27Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372708#M109610 <P>Thanks for this, you were right the 51 was a false positive.</P> Fri, 17 Nov 2017 09:00:46 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-for-value-in-extracted-field/m-p/372708#M109610 jrfrost 2017-11-17T09:00:46Z