- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cannot search customized field ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can search by the following field key,
test_field=*
and Splunk Web displayed the lists.
Then I select the "test_field=testA"(so following keywords), but displayed no lists.
test_field=* test_field=testA
And the following search command display no result.
test_field=testA
Furthermore, I add "| search" between the two kewords, then displayed properly.
test_field=* | search test_field=testA
Why is this happened ?
Thank you for helping.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're not telling us how your field is extracted, but I strongly suspect that what you're see is what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Basically you're likely extracting a field value that isn't part of indexed data, or only part of a token in indexed data. For instance, in the first case, the field could have been extracted in something like this manner:
[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext
...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.
Or, in the second case, the extraction would look something like this:
[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1
If any of these apply to your extraction, you are very likely seeing the effects that the blog post I linked to talks about.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're not telling us how your field is extracted, but I strongly suspect that what you're see is what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Basically you're likely extracting a field value that isn't part of indexed data, or only part of a token in indexed data. For instance, in the first case, the field could have been extracted in something like this manner:
[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext
...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.
Or, in the second case, the extraction would look something like this:
[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1
If any of these apply to your extraction, you are very likely seeing the effects that the blog post I linked to talks about.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, Ayn.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
