https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399729#M115873 <P>There is following description in this manual.</P> <PRE><CODE>For example, say you're performing a simple &lt;field&gt;::1234 extraction at index time. This could work, but you would have problems if you also implement a search-time field extraction based on a regex like A(\d+)B, where the string A1234B yields a value for that field of 1234. This would turn up events for 1234 at search time that Splunk would be unable to locate at index time with the &lt;field&gt;::1234 extraction. </CODE></PRE> <P>I don't feel that Splunk is completely a "schema on the fly" in this specification...<BR /> Is this specification never modified?</P> <P>I hope that it will be changed.</P> Mon, 18 Feb 2019 10:36:32 GMT yutaka1005 2019-02-18T10:36:32Z https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399729#M115873 <P>There is following description in this manual.</P> <PRE><CODE>For example, say you're performing a simple &lt;field&gt;::1234 extraction at index time. This could work, but you would have problems if you also implement a search-time field extraction based on a regex like A(\d+)B, where the string A1234B yields a value for that field of 1234. This would turn up events for 1234 at search time that Splunk would be unable to locate at index time with the &lt;field&gt;::1234 extraction. </CODE></PRE> <P>I don't feel that Splunk is completely a "schema on the fly" in this specification...<BR /> Is this specification never modified?</P> <P>I hope that it will be changed.</P> Mon, 18 Feb 2019 10:36:32 GMT https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399729#M115873 yutaka1005 2019-02-18T10:36:32Z https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399730#M115874 <P>That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using <CODE>INDEXED_VALUE=false</CODE>. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&amp;A and hopefully they will make it more clear.</P> Thu, 07 Mar 2019 04:17:17 GMT https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399730#M115874 woodcock 2019-03-07T04:17:17Z https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399731#M115875 <P>Wow, you are right.</P> <P>By setting INDEXED_VALUE = false, it was possible to search even field that special extraction was done from middle of words.</P> Thu, 07 Mar 2019 06:22:28 GMT https://community.splunk.com/t5/Splunk-Search/About-quot-https-docs-splunk-com-Documentation-Splunk-7-2-3-Data/m-p/399731#M115875 yutaka1005 2019-03-07T06:22:28Z