I am sending apache web access log to splunk with one of the fields called user_id and I can see the field on the left panel.
Can anyone tell me the difference between the 2 queries below? I think the search result should be the same for both queries. However, the first query returns 0 result but the second query returned results with the field user_id = myuserid
sourcetype="apache.web.access" user_id="myuserid" | table _time, user_id, _raw
sourcetype="apache.web.access" | search user_id="myuserid" | table _time, user_id, _raw