Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cannot search customized field ...

sunrise
Contributor
‎05-12-2013 09:56 PM

I can search by the following field key,

test_field=*

and Splunk Web displayed the lists.
Then I select the "test_field=testA"(so following keywords), but displayed no lists.

test_field=* test_field=testA

And the following search command display no result. 

test_field=testA

Furthermore, I add "| search" between the two kewords, then displayed properly.

test_field=* | search test_field=testA

Why is this happened ?
Thank you for helping.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-12-2013 11:12 PM

You're not telling us how your field is extracted, but I strongly suspect that what you're see is what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

Basically you're likely extracting a field value that isn't part of indexed data, or only part of a token in indexed data. For instance, in the first case, the field could have been extracted in something like this manner:

[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext

...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.

Or, in the second case, the extraction would look something like this:

[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1

If any of these apply to your extraction, you are very likely seeing the effects that the blog post I linked to talks about.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-12-2013 11:12 PM

You're not telling us how your field is extracted, but I strongly suspect that what you're see is what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

Basically you're likely extracting a field value that isn't part of indexed data, or only part of a token in indexed data. For instance, in the first case, the field could have been extracted in something like this manner:

[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext

...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.

Or, in the second case, the extraction would look something like this:

[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1

If any of these apply to your extraction, you are very likely seeing the effects that the blog post I linked to talks about.

0 Karma
Reply
Solved! Jump to solution

sunrise
Contributor
‎05-14-2013 07:44 PM

Thank you, Ayn.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...