https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259650#M77843 <P>Hi your right the text I posted did not contain the information. I think there was a copy/paste issue.</P> <P>Because the event I expect to have on my list has this data:</P> <P>12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156</P> <P>And the method field is in the text. But it just not in my result set.</P> <P>And the text from a event that IS shown</P> <P>12:54:03|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=1024765</P> <P>My timerange of my serach it only 1 hour on a specific date so I know that the event I except is there</P> <P>I can get the event in my result by writing :</P> <P>index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>But I need the search string to look something like this: </P> <P>index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>This text: SWIFT-TEST-RMA-AskProfileDeploySwitch is different for most events</P> Tue, 29 Sep 2020 10:54:21 GMT hsh 2020-09-29T10:54:21Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259645#M77838 <P>Hi</P> <P>I have a specific event massage that I'm trying to search for.</P> <P>Now my ideal seach string looks like this: </P> <P>index=bec_ci_prod deploy_status_type=info direction=exiting method=execute_package </P> <P>Now this search string does not give me a result.</P> <P>But if I remove the last token from the serach like this:</P> <P>index=bec_ci_prod deploy_status_type=info direction=exiting</P> <P>Then I get a result</P> <P>I know the event data is their because I can search specifically for it.</P> <P>The text that contain what im looking for looks like this:</P> <P>12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156</P> <P>Any ideas of how to do a search that would show this ?</P> <P>Kind Regards<BR /> Henrik</P> Tue, 29 Sep 2020 10:50:08 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259645#M77838 hsh 2020-09-29T10:50:08Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259646#M77839 <P>I have a feeling your fields arent being extracted properly. What do you get if you do the following:</P> <PRE><CODE>index=bec_ci_prod deploy_status_type=info direction=exiting | table deploy_status_type direction method </CODE></PRE> <P>Do you have any values for method? If not you need to work on your field extractions...</P> Wed, 07 Sep 2016 08:01:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259646#M77839 esix_splunk 2016-09-07T08:01:46Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259647#M77840 <P>Hi</P> <P>I think I need to clarify the search string : index=bec_ci_prod deploy_status_type=info direction=exiting method=execute_package </P> <P>Does return a result however there is a certain event that should fit this search criteria, but its not in the search result.</P> <P>This is the text from an event that is in the result:</P> <P>09:46:15|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=http method_duration=48977</P> <P>Now this is the text from the event that is NOT in the result:</P> <P>12:13:49|INFO|internals.py|147| [deploy_status] file=deploy_profile.py engine_type=was method_duration=562156</P> <P>I have a Unique search string that does return the specific event that should be in the result.</P> <P>This string return the event:<BR /> index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting</P> <P>This string does not:<BR /> index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package</P> <P>I have no idea way this is <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 10:50:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259647#M77840 hsh 2020-09-29T10:50:13Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259648#M77841 <P>Ok part of the issue is when you add terms in the form of <STRONG>a=b</STRONG>, Splunk is looking for Key Value Pairs. KV pairs have to be extracted. Try either extracting those Key Value Pairs, or running a literal search by enclosing the terms in quotes.</P> <PRE><CODE>index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package") </CODE></PRE> Wed, 07 Sep 2016 13:07:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259648#M77841 esix_splunk 2016-09-07T13:07:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259649#M77842 <P>Your search terms are implicitly combined using a boolean AND operation. Any events that do not have a method field will consequentially not qualify for your result set.<BR /> In other words: You are explicitly looking for method=execute_package but that key/value pair is not present in the log event you have listed as not showing up. So, the results are as expected. </P> Wed, 07 Sep 2016 18:47:11 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259649#M77842 s2_splunk 2016-09-07T18:47:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259650#M77843 <P>Hi your right the text I posted did not contain the information. I think there was a copy/paste issue.</P> <P>Because the event I expect to have on my list has this data:</P> <P>12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156</P> <P>And the method field is in the text. But it just not in my result set.</P> <P>And the text from a event that IS shown</P> <P>12:54:03|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=1024765</P> <P>My timerange of my serach it only 1 hour on a specific date so I know that the event I except is there</P> <P>I can get the event in my result by writing :</P> <P>index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>But I need the search string to look something like this: </P> <P>index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>This text: SWIFT-TEST-RMA-AskProfileDeploySwitch is different for most events</P> Tue, 29 Sep 2020 10:54:21 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259650#M77843 hsh 2020-09-29T10:54:21Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259651#M77844 <P>Hi I tried modifying the search string as you suggested.</P> <P>However this search string:</P> <P>index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>Is just to verify that the event I want in my list is actually their. The original search string also return the event:<BR /> index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package</P> <P>The goal is to have a search string that looks like this:</P> <P>index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>and that will return a list with all the events with this data in it :</P> <P>EVENT1<BR /> 12:51:35|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=406745<BR /> ... 81 lines omitted ...<BR /> source = H:\hudson\jobs\INET-SANDBOX-SERVLETETICKET-AskDeploySwitch\builds\2016-09-06_12-4</P> <P>EVENT2<BR /> 12:13:47|INFO|bitvise.py|408| [b00011103134.res.bec.dk] 12:13:47|INFO|install_profile.py|860| DEPLOYMENT OF rma_test was FINISHED! 12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156<BR /> source = H:\hudson\jobs\SWIFT-TEST-RMA-AskProfileDeploySwitch\builds\2016-09-06_12-02-46\log </P> <P>As I can see it the only difference between these two events is the source information. But do not want to use that either</P> <P>So in short the search string : index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>Need to return EVENT1 &amp; EVENT2 but currently only EVENT1 is in my result</P> Tue, 29 Sep 2020 10:54:28 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259651#M77844 hsh 2020-09-29T10:54:28Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259652#M77845 <P>Hi Guys</P> <P>Thanks for the Input, the result was that :</P> <P>index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")</P> <P>Actually do work. It did return the expected result I just missed it the first run throw.</P> <P>Thanks a lot for the assist</P> Tue, 29 Sep 2020 10:54:31 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-does-now-show-expected-results/m-p/259652#M77845 hsh 2020-09-29T10:54:31Z