https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/501228#M139582 <P>index=environment sourcetype=infinity_thermostat &lt; shows all the extracted fields and values under "Interesting Fields"&gt;</P> <P>When I click and interesting field, see it's values and select a value (which adds it to the search), zero results are returned. Is this a bug in recent versions?</P> <P>I've seen other "similar" posts and some talk about workarounds such as fields.conf, but this is pretty straight forward and the search time extractions are working, just not searchable when used in the search. </P> <P>cooling=idle is the example I'm using which returns zero, cooling=idle* (zero results), cooling=idl* (zero results), cooling=id* (results), cooling=i* (results), cooling=* (all results), cooling=*idle (results)</P> <P>Thank you for any thoughts/help </P> <P>Screenshots attached showing the issue.<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8588i4EECDA482F9395B6/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8589i0646B8B449AB295B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 26 Mar 2020 22:29:16 GMT nortonjco 2020-03-26T22:29:16Z https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/501228#M139582 <P>index=environment sourcetype=infinity_thermostat &lt; shows all the extracted fields and values under "Interesting Fields"&gt;</P> <P>When I click and interesting field, see it's values and select a value (which adds it to the search), zero results are returned. Is this a bug in recent versions?</P> <P>I've seen other "similar" posts and some talk about workarounds such as fields.conf, but this is pretty straight forward and the search time extractions are working, just not searchable when used in the search. </P> <P>cooling=idle is the example I'm using which returns zero, cooling=idle* (zero results), cooling=idl* (zero results), cooling=id* (results), cooling=i* (results), cooling=* (all results), cooling=*idle (results)</P> <P>Thank you for any thoughts/help </P> <P>Screenshots attached showing the issue.<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8588i4EECDA482F9395B6/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8589i0646B8B449AB295B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 26 Mar 2020 22:29:16 GMT https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/501228#M139582 nortonjco 2020-03-26T22:29:16Z https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/501229#M139583 <P>This is a classic example of the <CODE>field.conf</CODE> problem so why are you doubting the appropriateness and efficacy? I will reiterate what you have already read:</P> <P>If your values are not separated by major/minor-breakers (segmenters.conf), then they will not appear as indexed values in your tsidx so you have to tell the Search Head that these fields are not indexed fields by adding this to fields.conf:</P> <PRE><CODE>[cooling] INDEXED_VALUE = false </CODE></PRE> <P>See details here:<BR /> <A href="https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html">https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html</A></P> <P>BE CAREFUL! This is a GLOBAL setting and will effect all fields named <CODE>cooling</CODE> so you would be best off naming this field something that is uncommon (unlikely to be used by anybody else anywhere else).</P> Fri, 27 Mar 2020 04:43:47 GMT https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/501229#M139583 woodcock 2020-03-27T04:43:47Z https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/550293#M156158 <P>I have a couple of questions:</P><P>1) Isn't it the case that this was fixed after version 4.3? That is what's noted in the document linked in the explanation. We're seeing this behavior, and we're on cloud 8.0.x.</P><P>2) It's a global change to affect field.conf - is that the same for affecting segmenters.conf?</P> Mon, 03 May 2021 22:47:50 GMT https://community.splunk.com/t5/Splunk-Search/Search-shows-zero-results-when-searching-a-field-defined-by/m-p/550293#M156158 jasongb 2021-05-03T22:47:50Z