Splunk Search

Add To Search Returns No Results

lynmar
Explorer

I have an index in Splunk enterprise named "my_index". When I search for data using index="my_index" for the last 24 hours I get all results I want. I have some custom tags\fields for instance branch, version, product etc that I want to filter on.

When I click on the branch from the events viewer and click add to search no results are found, even though they were there in the previous results returned for the same time period. Similarly when I type into the search bar and select the autocomplete for the branch I want nothing is returned.

What is the reason this is happening?

Searching index="my_index" in the last 24hrs returns results including branch="mybranch-1-2" but searching for index="my_index" branch="mybranch-1-2" for the last 24hrs returns no results found.

0 Karma
1 Solution

lynmar
Explorer

I needed to change to use colons as apparently it is meta data I'm adding to search. Splunks add to search functionality is misleading.

Wroks:
index="my_index" branch::mybranch

Doesn't work:
index="my_index" branch="mybranch"

View solution in original post

0 Karma

shaikasi
New Member

Try this and its works

index=a

0 Karma

lynmar
Explorer

I needed to change to use colons as apparently it is meta data I'm adding to search. Splunks add to search functionality is misleading.

Wroks:
index="my_index" branch::mybranch

Doesn't work:
index="my_index" branch="mybranch"

0 Karma

niketn
Legend

Can you try the following search?

index="my_index"
| search branch="mybranch-1-2"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Switch to verbose mode, and try this...

index="my_index" | search branch="mybranch*" | head 1

If there are results, try this....

index="my_index" branch="mybranch*" | head 1

If they are still there, then switch back to fast mode and see if they disappear.

Let us know what happened.

0 Karma

lynmar
Explorer

Those suggestions didn't work. I tried them both in fast mode, verbose mode and smart mode.

This doesn't work:

index="my_index" branch="release-5-5"

This Works

index="my_index" branch="blah-blah"

Both the above examples are returned in the original search index="my_index"

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...