Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field search needs unnecessary wildcard character *

bibekmantree
New Member
‎07-22-2019 02:32 AM

I am doing search on data coming from fluentd k8s.
On top of that data , I wanted to filter on basis of field.

alt text

Add to search field prompts that, there would be count of 7 events. But surprisingly its Zero.
alt text

So I did some trial and error to put wildcards to get data. Here it is.

index=main 200 namespace="*app-s*pace*"
Now all the & events shows up !!

My Question is Why is this happening?
And why -s*pace.
In some fields, keeping * also does not give accurate events.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

oscar84x
Contributor
‎07-22-2019 06:27 AM

Is this a regex based field extraction?
Have a look at the article below and see if this is what you're running into.

https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html

0 Karma
Reply

bibekmantree
New Member
‎07-22-2019 06:41 AM

I had no intention to do namespace="*app-s*pace*" as the result did not show on app-space . I did this trial and error and added these * around the string.

If you see the 1st image, the field is a plain string. app-space and also suggest 7 events will appear but clicking on it (2nd image). Zero events.

0 Karma
Reply

oscar84x
Contributor
‎07-22-2019 06:54 AM

Yes, I believe understand what the problem is. you're describing something similar to what the blog post I shared describes.
The solution for the problem in the article is to add the below stanza to your fields.conf. But that depends on whether it was a regex based field extraction or not, which was my question to you.

[namespace]
INDEXED_VALUE = false
0 Karma
Reply

khoonhuat
New Member
‎07-29-2019 01:56 AM

I have a similar problem.
Running the suggested test below still give me no result. So this blog is unrelated.

"search sourcetype=MyEvents MyField=* | search MyField=ValidValue"

0 Karma
Reply

bibekmantree
New Member
‎07-22-2019 07:07 AM

Honestly, This is my 5th day with Splunk. I have not extracted any fields myself. I set up fluentd in my k8s cluster . Created a HEC in my splunk and provided that data to fluentd running on my k8s. That's it.
Then I can see these data with fields populated in my splunk.(my splunk is a docker container)

let me try as you suggested (blog post).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...