topic Re: have to add wildcard to end of field value to search.. strange... in Splunk Search

have to add wildcard to end of field value to search.. strange...

mmattek — Mon, 16 Jul 2012 17:23:57 GMT

I have a field defined in a transform. The field appears to work fine in a chart, whatever, but to put it in a field i have to put fieldfoo="value*" , even though the value has no characters (not even a space, I checked, after the "e" in this case.

To make it even weirder, there is an alias to this field (for backward compatibliity for some old searches, and that one works fine....

Re: have to add wildcard to end of field value to search.. strange...

Ayn — Mon, 16 Jul 2012 18:57:19 GMT

Might this field contain a value that isn't part of indexed data, or only part of a token in indexed data? For instance, in the first case, the field could have been extracted in something like this manner:

[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext

...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.

Or, in the second case, the extraction would look something like this:

[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1

If any of these apply to your extraction, you are very likely seeing the effects of what is described in detail in this excellent blog post: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

Re: have to add wildcard to end of field value to search.. strange...

mmattek — Mon, 16 Jul 2012 19:45:15 GMT

that's interesting, so I tried indexed_value=false, didn't fix it. The fields.conf spec indicates this is only applicable for an index=false, which this field is indexed=true.

here's the deal, I have a transform (in transforms.conf of this app).
[framework-parts]
FORMAT = $0 loglevel::"$1" threadname::"$2" logger::"$3" user::"$4" rmrealm::"$5" processid::"$6" messageid::"$7"
REGEX = ([A-Z]+)\s+[(.?)]\s+(.?)\s+((.?@(.?)|.?))\s+((.?))\s+((.*?))

Re: have to add wildcard to end of field value to search.. strange...

mmattek — Mon, 16 Jul 2012 19:45:30 GMT

put this in two comments for length 🙂

then I have this in props.conf:

REPORT-frameworkparts = framework-parts,framework-threadname-parts,rmdirect-structuredlog,rmdirect-structuredlog-props,rm-framework-event-type

[threadname]
INDEXED=true
INDEXED_VALUE=false

Re: have to add wildcard to end of field value to search.. strange...

Ayn — Mon, 28 Sep 2020 12:05:59 GMT

You shouldn't set INDEXED=true because it's not an indexed field. I know the docs (and the blog post I linked to) say that Splunk should be able to handle this situation by itself now, so you won't have to set indexed_value yourself, however that simply doesn't seem to be true. Try just setting INDEXED_VALUE to false without setting INDEXED=true.