https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23261#M4127 <P>It is possible that Splunk is not sure whether to treat the values as a number or a string.<BR /><BR /> Try defining it as a string after the extraction and before the search. See the details here:<BR /> <A href="http://splunk-base.splunk.com/answers/11131/how-to-typecast-an-integer-as-a-string-literal">http://splunk-base.splunk.com/answers/11131/how-to-typecast-an-integer-as-a-string-literal</A></P> Fri, 02 Aug 2013 14:20:36 GMT lukejadamec 2013-08-02T14:20:36Z https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23260#M4126 <P>Hi,</P> <P>When I'm indexing my logs, I extract a field called "file_date" from my source. The field is of the form 2013-07-31_01-05-08. </P> <P>I have some problems when I want to search for a specific file_date.<BR /> Say I want to show all events where file_date = 2013-03-20_21-14-36, and I know that there are 71 events with that value.</P> <P>If I search for this I get no matching events (I tried qoutes, escaping _ and -)</P> <PRE><CODE>file_date=2013-03-20_21-14-36 </CODE></PRE> <P>However, if I run a search for whatever before it works. Like this:</P> <PRE><CODE>* | search file_date=2013-03-20_21-14-36 file_date=* | search file_date=2013-03-20_21-14-36 </CODE></PRE> <P>I have a total of 1525 different events, all with this field, and all of them are from this year (starts with 2013), if I run a search like these</P> <PRE><CODE>file_date=* * | search file_date=2013* </CODE></PRE> <P>I get 1525 events, but if I search for </P> <PRE><CODE>file_date=2013* </CODE></PRE> <P>I only get 72 events.</P> <P>Does anybody know how to fix this problem?</P> <P>(In case someone is wondering, the fields are extracted and are showing up in the fields list. <BR /> I also have an id field which is extracted in the same way, but only consist of 6 digits, and when I search for that field everything works as normal.)</P> Fri, 02 Aug 2013 13:45:03 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23260#M4126 gelica 2013-08-02T13:45:03Z https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23261#M4127 <P>It is possible that Splunk is not sure whether to treat the values as a number or a string.<BR /><BR /> Try defining it as a string after the extraction and before the search. See the details here:<BR /> <A href="http://splunk-base.splunk.com/answers/11131/how-to-typecast-an-integer-as-a-string-literal">http://splunk-base.splunk.com/answers/11131/how-to-typecast-an-integer-as-a-string-literal</A></P> Fri, 02 Aug 2013 14:20:36 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23261#M4127 lukejadamec 2013-08-02T14:20:36Z https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23262#M4128 <P>I think you might be running into this: <A href="http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/">http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/</A></P> Fri, 02 Aug 2013 17:33:19 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23262#M4128 Ayn 2013-08-02T17:33:19Z https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23263#M4129 <P>Try <CODE>file_date=TERM(2013-03-20_21-14-36)</CODE>. More details here:</P> <P><A href="http://splunk-base.splunk.com/answers/68584/why-does-my-search-not-find-the-%5C_">http://splunk-base.splunk.com/answers/68584/why-does-my-search-not-find-the-\_</A></P> Fri, 02 Aug 2013 17:45:30 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-search-for-field-value/m-p/23263#M4129 sowings 2013-08-02T17:45:30Z