Getting Data In

Defined field values showing no results, unless reloaded


Hi, I have a totally weird situation.

The field list on the left shows me the stuff I have defined.
When I click on one of them, I see the field values. But when I then select one, the search does not show anything:

index=amp_sal message_id=AU1

Delivers no results even though Splunk just told me there are AU1 message_ids...
But when I exclude the field I see results:

index=amp_sal message_id!=AU1

And I also see results when I perform a reload in the query:

| extract reload=t 
| search message_id=AU1

So what is going on?
Of course, there have been plenty of restarts.

This is how the fields are defined:

EXTRACT-sal = ^(?<message_id>.{3})(?<date>.{8})(?<time>.{6})(\w\w)(?<process_id>.{5})(?<task>.{5})(?<proctype>.{2})(?<term>.{8})(?<user>.{12})(?<transaction>.{20})(?<app>.{40})(?<client>.{3})(?<message>.{64})(?<src>.{20})

And the best thing is, this is not consistent for the defined fields, some work ok, some exhibit the weird behavior.
I tried to define them individually, but that did not change anything.

Any ideas?

0 Karma


Thanks, but that has the same empty result.
AU1 is one of many possible message Ids (and no, none of them works) that splunk shows me as available.


0 Karma


Hi @afx,

does this work ?

 index=amp_sal message_id="AU1"

Could be that AU1 is also a field name ? Is it the same regardless what you type for message_id ?

0 Karma