Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extremely confused with :: vs =

Kindred
Path Finder
‎06-04-2018 08:21 PM

On our forwarders we have a [default] _meta value that specify a few key::value pairs, e.g. a key to tell us what site this server forwarding the data belongs to (e.g. site::staging).

When I search for site=staging I get fewer results than with site::staging, and I can't seem to find relevant documentation that explains why and it isn't easy to determine what is actually being filtered in the first compared to the latter when I look at the results (no easy/logical at-a-glance answer).

If I take a specific host and a simple file we monitor, like host=someserver source=/var/log/messages - the result set is vastly different, with site::staging containing what seems to be the entire log and site=staging giving just a few lines from the log (and those lines don't contain text which mention staging either). I can't think of any logic that would dictate why just a few lines seem to match site=staging - I'd expect that field to either be searchable or not, not some odd subset of data. Also the UI highlights the source field in the events as matching staging when I do site::staging which points to it thinking that it knows what I want. This makes it even more annoying when using the UI to add a field to the search, because when you click the site field and "add to search" it adds it as site=staging which doesn't yield all the results.

This is with SplunkCloud if that makes any difference.

Tags (2)
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-06-2018 03:46 PM

In terms of syntax, the :: is obviously to use only indexed fields and the = should use indexed or non-indexed as per the documentation

Write better searches : Use_indexed_and_default_fields

Effectively if you are using = you are looking for something extracted at search time, if you use :: you are looking for an indexed field.

Use fields to retrieve events from this documentation:

When searching for default field values and custom indexed field values you can use the standard <field>=<value> syntax. This syntax matches default fields, custom indexed fields, and search-time fields.

If you are not seeing all the results with = but you see it with :: I'd log a support case, have you tested in smart mode and fast mode just in case to see if there is a difference?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

Kindred
Path Finder
‎06-07-2018 10:32 PM

Fast Mode vs Smart Mode doesn't make any difference - we'll lodge a support case and I'll update with any answer.

0 Karma
Reply

rxdeleon
Explorer
‎01-16-2019 01:50 PM

I'm running into this same issue and have not found a solution. Was Splunk Support able to help you resolve it?

0 Karma
Reply

cmerriman
Super Champion
‎06-05-2018 06:40 AM

https://answers.splunk.com/answers/411019/whats-the-difference-between-hostabc-and-hostabc.html
have you seen this answer?

Reply

Kindred
Path Finder
‎06-05-2018 10:14 PM

It helps from a background of where :: came from, but doesn't really explain the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...