Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field is extracted by default, but no results based on it's values?

fishmong3r
Explorer
‎03-03-2023 12:36 AM

Returns thousands of entries:

index=myindex sourcetype=mysourcetype

Returns all (8 atm) uuid values and all starts with '211d'

index=myindex sourcetype=mysourcetype | table uuid | dedup uuid

211d644bc2

211d788fa3

211d520cc2

etc.

These returns nothing. 0 matches found for the same time period as the previous two queries:

index=myindex sourcetype=mysourcetype uuid=211d*
index=myindex sourcetype=mysourcetype uuid="211d*"
index=myindex sourcetype=mysourcetype uuid=211d%
index=myindex sourcetype=mysourcetype uuid="211d%"

 

Why is this? Is it an indexing issue?

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2023 12:49 AM

How is that field extracted?

0 Karma
Reply

fishmong3r
Explorer
‎03-03-2023 12:57 AM

I don't know, but it is there among the fields by default.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2023 01:41 AM

Can you give us an example of an event containing that field?

0 Karma
Reply

fishmong3r
Explorer
‎03-03-2023 03:23 AM

I hope I cleaned it up well enough. 🙂

Screenshot 2023-03-03 at 11.54.21.png

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2023 05:22 AM

Yeah, you cleaned it to the point that it's missing the most important thing I wanted to see. If the extracted field is not bound by breakers (like in taken from the middle of the word), it will not be easily searchable (or at least not very quickly) due to how splunk works. If you see the job log, you'll see the LISPY search that is sent to indexer(s). It describes exactly what the indexer(s) will be looking for. So in case of your condition splunk will be searching all events that have "uuid<something>" indexed as a separate term and then it will try to "fit" it into the field definition. If your field is extracted from the middle of a string (like from "mynameisuuid23452" you extract everything after the "mynameis" part), splunk won't find it from such a simple search because it's not indexed as a term.

0 Karma
Reply

fishmong3r
Explorer
‎03-03-2023 08:30 AM

So, I can confirm that it's not extracted from a string. This uuid is sort of an API key that is sent separately as a standalone http header.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2023 09:45 AM

You mean that it's not included in the _raw message but is stored in an additional indexed field only?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...