https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186936#M53850 <P>yes it returns the same result as doing it without the quotes.</P> Tue, 17 Mar 2015 19:31:40 GMT rgoody 2015-03-17T19:31:40Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186931#M53845 <P>Have source from cisco:asa with a field value of user. </P> <P>The following search(s) will return all values for user:<BR /> (This search for example would return 30 events with a user value in 100%)<BR /> <STRONG>sourcetype=cisco:asa message_id=722051</STRONG><BR /> (This search for example would return 30 events with a user value in 100%)<BR /><BR /> <STRONG>sourcetype=cisco:asa message_id=722051 user=</STRONG>*</P> <P>If I attempt to get more specific on the user value like below, no results are found even though its found in the above search:<BR /> <STRONG>sourcetype=cisco:asa message_id=722051 user=testuser1234</STRONG></P> <P>If I attempt this search events are also returned:<BR /> <STRONG>sourcetype=cisco:asa message_id=722051 user=testuser</STRONG>*<BR /> or<BR /> <STRONG>sourcetype=cisco:asa message_id=722051 user=test*1234</STRONG></P> <P>So as long as my user= contains a wildcard results are found. What could be causing this issue?</P> Mon, 16 Mar 2015 18:06:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186931#M53845 rgoody 2015-03-16T18:06:51Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186932#M53846 <P>Are you sure you don't have any special characters in the "user" field values that might be throwing off the comparison for you? </P> <P>Try this, on the left side of your search screen there should be a list of "interesting fields". Expand the "user" field and select the value that you are looking for. This should add the filter to your search with the exact user value.</P> <P>Hope this helps</P> Mon, 16 Mar 2015 19:13:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186932#M53846 aholzer 2015-03-16T19:13:18Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186933#M53847 <P>Hi, have you try with doublequote:<BR /> user="testuser1234"</P> Tue, 17 Mar 2015 11:43:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186933#M53847 btt 2015-03-17T11:43:33Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186934#M53848 <P>this search: <CODE>sourcetype=cisco:asa message_id=722051 user=testuser1234</CODE> is very good <BR /> and retuned you events which sourcetype=cisco:asa ; message_id=722051 and user=testuser1234 <BR /> if no results are found even though its found in the above search then,<BR /> you don't have a USER where <STRONG>user=testuser1234</STRONG> simply in your data or events. or you don't write fine user value in your events.<BR /> if you want try this search to understand fine : <CODE>sourcetype=cisco:asa message_id=722051 NOT(user=testuser1234)</CODE></P> <P>sorry for my english.</P> Mon, 28 Sep 2020 19:10:26 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186934#M53848 fdi01 2020-09-28T19:10:26Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186935#M53849 <P>so when I do the search sourcetype=cisco:asa message_id=722051 and click on the user field it will show 32 events for say user testuser1234 then when I click to add that user to the search it will then only show 19 events.</P> Tue, 17 Mar 2015 19:30:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186935#M53849 rgoody 2015-03-17T19:30:59Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186936#M53850 <P>yes it returns the same result as doing it without the quotes.</P> Tue, 17 Mar 2015 19:31:40 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186936#M53850 rgoody 2015-03-17T19:31:40Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186937#M53851 <P>That would be because only 19 of your original 32 events have that particular user in them. This sounds like the intended behavior. What are you expecting?</P> Tue, 17 Mar 2015 19:48:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186937#M53851 aholzer 2015-03-17T19:48:53Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186938#M53852 <P>No because if I just look at those same events without filter by user=testuser1234 all events have the user field in them with the user value of testuser1234.</P> <P>So for example if testuser1234 logs-in the event is created and I can see the event with the user field and a value of testuser1234 but If I filter the search using user=testuser1234 that event is not found unless I filter with a wildcard such as user=test* or any other filter with a wildcard.</P> Tue, 17 Mar 2015 19:53:42 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186938#M53852 rgoody 2015-03-17T19:53:42Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186939#M53853 <P>Let me get this straight.</P> <P>When you run it with the user=test* you get 32 events, if you click the "user" field on the left "interesting fields" you get an entry for user="testuser1234" and a count of 32. But, when you click on said user to add the filter to your search, you then only receive 19 events in your results. Is this correct?</P> Tue, 17 Mar 2015 19:57:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186939#M53853 aholzer 2015-03-17T19:57:38Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186940#M53854 <P>Is your user field a mv (multi-value) field, by any chance?</P> Tue, 17 Mar 2015 19:59:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186940#M53854 aholzer 2015-03-17T19:59:02Z https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186941#M53855 <P>Yes that is correct, no it is not a multi-value field</P> Thu, 19 Mar 2015 20:09:52 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-my-searches-not-returning-any-events-unless-I-use-a/m-p/186941#M53855 rgoody 2015-03-19T20:09:52Z