Why does a search on the "query" field yield diffe...

landen99 · ‎11-27-2018

The following two searches yield very different results:

...|search NOT [...|rename field AS query]
...| rename query AS query_name | search NOT[...|rename field AS query_name]

landen99 · ‎11-27-2018

...|search NOT [...|rename field AS query]

Does not search the field query, but instead the raw data.
Instead of searching:
NOT(query=value1 OR query=value2 ...)
It searches
NOT(_raw=value1 OR _raw=value2 ...)

If you want to actually search the query field then do this:

   ...| rename query AS query_name |search NOT [...|rename field AS query_name] | rename query_name AS query

Why does a search on the "query" field yield different results than on another name like "query_name"?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Why does a search on the "query" field yield different results than on another name like "query_name"?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine