https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137706#M37760 <P>Can you try:</P> <PRE><CODE>index=abc "toto3" </CODE></PRE> Fri, 13 Feb 2015 18:13:36 GMT sanjay_shrestha 2015-02-13T18:13:36Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137705#M37759 <P>These two searches don't return the same thing, and I think they should. The first one returns nothing, the second one returns some events.<BR /><BR /> Search1:</P> <PRE><CODE>index=abc toto3 </CODE></PRE> <P>Search2:</P> <PRE><CODE>index=abc _raw=*toto3* </CODE></PRE> <P>In other words, clearly I have some events which contain toto3. Search2 proves it, but they are not returned by search1 when I would expect them to be. Does anybody know how this can be possible?</P> Fri, 13 Feb 2015 17:57:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137705#M37759 manus 2015-02-13T17:57:03Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137706#M37760 <P>Can you try:</P> <PRE><CODE>index=abc "toto3" </CODE></PRE> Fri, 13 Feb 2015 18:13:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137706#M37760 sanjay_shrestha 2015-02-13T18:13:36Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137707#M37761 <P>That doesn't return anything, like search 1.</P> Fri, 13 Feb 2015 18:16:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137707#M37761 manus 2015-02-13T18:16:46Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137708#M37762 <P>yes that's returns some events too. Like Search 2 does.</P> Fri, 13 Feb 2015 18:16:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137708#M37762 manus 2015-02-13T18:16:46Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137709#M37763 <P>I think toto3 is not a complete word. So you can try</P> <PRE><CODE> index=abc "*toto3*" </CODE></PRE> Fri, 13 Feb 2015 18:24:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137709#M37763 sanjay_shrestha 2015-02-13T18:24:19Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137710#M37764 <P>yes it looks like it does that, indeed, but it's not supposed to that.</P> Fri, 13 Feb 2015 18:25:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137710#M37764 manus 2015-02-13T18:25:23Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137711#M37765 <P>When toto3 was used; splunk looks for single word toto3.</P> Fri, 13 Feb 2015 18:25:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137711#M37765 sanjay_shrestha 2015-02-13T18:25:23Z https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137712#M37766 <P>A search like this:</P> <PRE><CODE>index=abc toto3 </CODE></PRE> <P>does not perform a substring search. It performs a search for a word (technically a segment) that is equal to "toto3", as in <CODE>toto3 is in my event</CODE>. To perform a substring search in Splunk, you use the wildcards like your second search or like what @sanjay.shrestha posted:</P> <PRE><CODE>index=abc *toto3* </CODE></PRE> <P>This finds toto3 when it is inside a segment but does not make up the complete segment, like <CODE>toto3isin my event</CODE>. </P> <P>So the answer to your question is that the substring search is not failing. <CODE>index=abc toto3</CODE> is not a substring search, but <CODE>index=abc *toto3*</CODE> is.</P> Fri, 13 Feb 2015 19:25:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-would-a-basic-substring-search-fail/m-p/137712#M37766 wpreston 2015-02-13T19:25:24Z