I am a Splunk user and was trying to fix a splunk query
In the SPL the user is using a key-value filter to get the resulting events.
index="as400" sourcetype="pac:avenger:tss:syslog" (status="failure" OR action="failure")
And I see many matching events.
When I rewrite the query, like the following I was hoping to at least see some or all matching events, But instead I get "No results found"
index="as400" sourcetype="pac:avenger:tss:syslog" "failure"
When I looked into the raw events by just querying, index="as400" sourcetype="pac:avenger:tss:syslog"
I found no key-word in the raw event containing the string . How is that possible that the word "failure" is not part of the raw event ? and yet I see results when I search using key-value pair in the SPL but nor result when only searching by 'failure'. It baffles me !
There are various ways a field could've been extract and not necessarily from kv pairs from If you've necessary privileges, go to Settings-> All configurations and search for "pac:avenger:tss:syslog" (your sourcetype). It should provide you list of all custom fields that have been defined for your sourcetype. Using that information, you should be able to identify which custom field extraction (calculated field/lookup etc) is generating those two fields (action/status).
Thanks for the pointer. But I am not able to find that particular sourcetype in settings->all configuration or Setting-> Sourcetype
In Settings-> All configurations, there will be a filter for app. Make sure that you select "All" in there.
No Luck ! 😞
The status or action field could be calculated at search time based on other values in _raw.
Found it under Fields->Calculate Fields.
Thank you.