https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265920#M79933 <P>Yes and I think it is down to the order of filtering and the application of calculated fields and lookups.</P> <P>For a search that ends up returning 48,532 events (historical so no change in the data between runs) the :: search does</P> <PRE><CODE>1.99 command.search.calcfields 13 48,532 48,532 0.77 command.search.lookups 13 48,532 48,532 </CODE></PRE> <P>Compared to the = search doing</P> <PRE><CODE>2.58 command.search.calcfields 12 58,963 58,963 1.05 command.search.lookups 12 58,963 58,963 </CODE></PRE> <P>The more events the :: discards the better the performance improvement (and I do appreciate that moving the lookups and field calculations into the search would probably yield the same results but the value of that enrichment always being available is pretty high)</P> <P>It was more of a "does anyone know of an existing bug - before I keep digging" kind of question. Next step is to copy some of the data and test on 6.3.2 before bothering support.</P> Fri, 05 Feb 2016 17:44:49 GMT mevans292 2016-02-05T17:44:49Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265915#M79928 <P>We are using a CSV input, which generates indexed extractions - some of the field values contain spaces.</P> <P>Here is some walklex output that shows the values captured in the .tsidx</P> <PRE><CODE>1887 2 product_categorization_tier_2::security systems 1888 3 product_categorization_tier_2::server systems 1889 1 product_categorization_tier_2::system software </CODE></PRE> <P>However all of the following search terms fail:</P> <PRE><CODE>product_categorization_tier_2::security systems product_categorization_tier_2::"security systems" "product_categorization_tier_2::security systems" </CODE></PRE> <P>but <CODE>product_categorization_tier_2::security*</CODE> works.</P> <P>Where the searches work (in fields with no spaces) there is a noticeable improvement in search performance.</P> <P>Looking at the job inspector, it looks like something is going wrong as the search term is translated to a remote search:</P> <P>The search: search index=xxxxxx product_categorization_tier_2::"security systems"</P> <P>Becomes: litsearch index=xxxxxx <STRONG>product_categorization_tier_2:: "security systems"</STRONG> | </P> <P>Note the extra space after the double colon.</P> <P>So - am I using an incorrect format for dealing with the spaces or is this a bug? (Splunk 6.3.0)</P> Tue, 29 Sep 2020 08:39:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265915#M79928 mevans292 2020-09-29T08:39:21Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265916#M79929 <P>Have you tried searching for product_categorization_tier_2="security systems" ? That is field=value, like you have for index=xxxxxx</P> Tue, 29 Sep 2020 08:40:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265916#M79929 jplumsdaine22 2020-09-29T08:40:54Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265917#M79930 <P>Yes - that works but as noted in the question where :: works (no spaces in the values) the searches are significantly quicker than the equivilent search using =</P> Fri, 05 Feb 2016 13:32:32 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265917#M79930 mevans292 2016-02-05T13:32:32Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265918#M79931 <P>Interesting I didn't know you could do that (other readers see here: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Usefieldstoretrieveevents">http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Usefieldstoretrieveevents</A> look for "double colon")</P> <P>I can't get it working either. I tries escaping with </P> <PRE><CODE>\" or &amp;quot; </CODE></PRE> <UL> <LI>no joy. </LI> </UL> <P>I'm only getting very minor performance improvements when searching for fields like <CODE>key::no_space</CODE> - milliseconds differences compared to key=value over millions of results. Are you seeing more dramatic improvements?</P> Fri, 05 Feb 2016 15:48:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265918#M79931 jplumsdaine22 2016-02-05T15:48:14Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265919#M79932 <P>Sometimes - on some queries I have seen a 20% difference on 30-60 seconds of execution time. Looking at the job inspector the key difference seems to be that the :: filter applies before lookups and field calculations, so that less overall "work" gets done - if you have no auto lookups or calculated fields that may be why we see such different results. </P> <P>The more events that the :: operation filters out the better the performance gain</P> <P>For a historical search - so the same number of events are involved (58,963 in scope, 48532 matching) I see the :: search do:</P> <P>1.99 command.search.calcfields 13 48,532 48,532<BR /> and<BR /> 0.77 command.search.lookups 13 48,532 48,532</P> <P>While the = search does:</P> <P>2.58 command.search.calcfields 12 58,963 58,963<BR /> and<BR /> 1.05 command.search.lookups 12 58,963 58,963</P> <P>I need to try on 6.3.2 before raising a support ticket.</P> Fri, 05 Feb 2016 17:34:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265919#M79932 mevans292 2016-02-05T17:34:50Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265920#M79933 <P>Yes and I think it is down to the order of filtering and the application of calculated fields and lookups.</P> <P>For a search that ends up returning 48,532 events (historical so no change in the data between runs) the :: search does</P> <PRE><CODE>1.99 command.search.calcfields 13 48,532 48,532 0.77 command.search.lookups 13 48,532 48,532 </CODE></PRE> <P>Compared to the = search doing</P> <PRE><CODE>2.58 command.search.calcfields 12 58,963 58,963 1.05 command.search.lookups 12 58,963 58,963 </CODE></PRE> <P>The more events the :: discards the better the performance improvement (and I do appreciate that moving the lookups and field calculations into the search would probably yield the same results but the value of that enrichment always being available is pretty high)</P> <P>It was more of a "does anyone know of an existing bug - before I keep digging" kind of question. Next step is to copy some of the data and test on 6.3.2 before bothering support.</P> Fri, 05 Feb 2016 17:44:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265920#M79933 mevans292 2016-02-05T17:44:49Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265921#M79934 <P>Indexed terms are just that...terms. They may look like fields with a :: operator (name::value vs name=value) but they are not fields. They are just explicitly formatted terms in TSIDX and within a given term, spaces are just characters like any other.</P> <P>When processing SPL, however:</P> <UL> <LI>spaces <STRONG>separate</STRONG> terms</LI> <LI>the quotes around a list of terms are ignored when searching TSIDX </LI> </UL> <P>So Splunk is interpreting each of your "non-working" SPL examples as either a search for<BR /> <CODE>product_categorization_tier_2::security AND systems</CODE> or <CODE>product_categorization_tier_2:: AND security AND systems</CODE><BR /> as follows:</P> <UL> <LI><CODE>product_categorization_tier_2::security systems</CODE> (2 terms) because spaces separate terms</LI> <LI><CODE>product_categorization_tier_2::"security systems"</CODE> (3 terms) because when Splunk sees non-escaped quotes it assumes the intention is to begin a new (list of) term(s) even if there is no space <STRONG>and</STRONG> quotes are ignored when searching TSIDX</LI> <LI><CODE>"product_categorization_tier_2::security systems"</CODE> (2 terms) because quotes are ignored when searching TSIDX</LI> </UL> <P><CODE>product_categorization_tier_2::security*</CODE>, in the other hand, will match any term beginning with <CODE>product_categorization_tier_2::security</CODE> whether or not the remainder of the term contains spaces.</P> <P>To achieve what you are trying to do use <CODE>TERM(product_categorization_tier_2::security systems)</CODE> which causes everything in the parentheses to be considered a single term, including the space.</P> Tue, 27 Dec 2016 19:32:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265921#M79934 ybongart_splunk 2016-12-27T19:32:13Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265922#M79935 <P>In Splunk 7.0.3.1, using TERM() didn't return results , but escaping the space did:<BR /> <CODE>product_categorization_tier_2::security\ systems</CODE></P> Tue, 19 Nov 2019 13:07:27 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-search-fail-when-searching-indexed-extractions-with/m-p/265922#M79935 mschaaf 2019-11-19T13:07:27Z