topic Re: Search does not return results for some values of one character extracted field in Splunk Search

Search does not return results for some values of one character extracted field

hmozaffari — Tue, 29 Sep 2020 06:36:48 GMT

I have defined an extracted field called "log_level" which holds one character values ("E","W,"I"). The definition of extracted field is fine and Splunk correctly identify them, group them and show the counts in left side summary box when I search for all events.

But when I search for certain values, even though they exist, Splunk doesn't return any result. For example log_level="E" and log_level="I" returns results but log_level="W" doesn't. I thought it might be related to popularity of those values but it doesn't. In my source 1% of records have "E" value, 9% "W" and 90% "I" value.

Re: Search does not return results for some values of one character extracted field

woodcock — Tue, 07 Jul 2015 15:03:46 GMT

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

Re: Search does not return results for some values of one character extracted field

hmozaffari — Tue, 07 Jul 2015 16:43:56 GMT

Thanks. It resolved it!
Just a hint for others. If your extracted field name is "EXTRACT-MyField" remove the EXTRACT prefix and just refer to it as "[MyField]"