https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603342#M209979 <P>I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results.</P> <P>EXCEPT:</P> <P>I have a field called "domain". It cannot be searched. It is there. It shows 100% of events have it. I hover over it and i see the contents. But when I run a search, nada.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii</LI-CODE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="oliverja_1-1656318185235.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20302iCA7245298EE965BD/image-size/medium?v=v2&amp;px=400" role="button" title="oliverja_1-1656318185235.png" alt="oliverja_1-1656318185235.png" /></span></P> <P>Search&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii domain="insight.adsrvr.org"</LI-CODE> <P>&nbsp;</P> <P>0 Results found.</P> <P>Same for domain=*</P> <P>Now, if we throw in spath</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii | spath domain | search domain="insight.adsrvr.org"</LI-CODE> <P>&nbsp;</P> <P>we get plenty of results.</P> <P>What is happening? From everything i can tell, I should not need spath because the event is extracting just fine. All the other dozen fields are extracted and searchable.&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii | table domain</LI-CODE> <P>&nbsp;</P> <P>&nbsp;works fine. How can I table something that doesn't exist?</P> Mon, 27 Jun 2022 15:15:53 GMT oliverja 2022-06-27T15:15:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603342#M209979 <P>I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results.</P> <P>EXCEPT:</P> <P>I have a field called "domain". It cannot be searched. It is there. It shows 100% of events have it. I hover over it and i see the contents. But when I run a search, nada.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii</LI-CODE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="oliverja_1-1656318185235.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20302iCA7245298EE965BD/image-size/medium?v=v2&amp;px=400" role="button" title="oliverja_1-1656318185235.png" alt="oliverja_1-1656318185235.png" /></span></P> <P>Search&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii domain="insight.adsrvr.org"</LI-CODE> <P>&nbsp;</P> <P>0 Results found.</P> <P>Same for domain=*</P> <P>Now, if we throw in spath</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii | spath domain | search domain="insight.adsrvr.org"</LI-CODE> <P>&nbsp;</P> <P>we get plenty of results.</P> <P>What is happening? From everything i can tell, I should not need spath because the event is extracting just fine. All the other dozen fields are extracted and searchable.&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=disa-cbii | table domain</LI-CODE> <P>&nbsp;</P> <P>&nbsp;works fine. How can I table something that doesn't exist?</P> Mon, 27 Jun 2022 15:15:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603342#M209979 oliverja 2022-06-27T15:15:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603347#M209980 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243568">@oliverja</a>,</P><P>if you said the using the spath command you see the data, I suppose that you're speaking of json format, did you used the INDEXED_EXTRACTION=JSON in your props.conf?</P><P>Ciao.</P><P>Giuseppe</P> Mon, 27 Jun 2022 08:44:09 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603347#M209980 gcusello 2022-06-27T08:44:09Z https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603350#M209981 <P>I have <EM>"KV_MODE = json" </EM>in my props.conf, which I took to mean that my extractions could take place at search time, instead of index time.</P><P>If I do your solution, I would need to disable the KV_MODE so that it is not doing the same work twice? But it would be done on the ingest/index side, not search. We get a lot of these, and I am worried about the storage implications.</P><P>I also want to add -- "domain" shows up as covering 100% of events. Again implying it is working?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="oliverja_0-1656321192530.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20305iFBFAA28A27CB47BB/image-size/medium?v=v2&amp;px=400" role="button" title="oliverja_0-1656321192530.png" alt="oliverja_0-1656321192530.png" /></span></P><P>&nbsp;</P> Mon, 27 Jun 2022 09:13:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/603350#M209981 oliverja 2022-06-27T09:13:37Z https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/604520#M210276 <P>Any more clarification before I start overriding things?</P> Wed, 06 Jul 2022 05:07:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/604520#M210276 oliverja 2022-07-06T05:07:06Z https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/604531#M210277 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243568">@oliverja</a>,</P><P>as I said, I usually use INDEXED_EXTRACTIONS = JSON and it always correctly runs&nbsp; but kv_mode = json should still work.</P><P>Anyway, if the problem is only on one field (domain) maybe the easiest solution is to add a regex extraction on ly for this field, to avoid to change all your extractions.</P><P>Ciao.</P><P>giuseppe</P><P>&nbsp;</P> Wed, 06 Jul 2022 06:33:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Extracted-field-not-searchable/m-p/604531#M210277 gcusello 2022-07-06T06:33:11Z