Splunk Search

INGEST_EVAL field returning no results

sarit_s
Communicator

Hello

i have this configuration in transforms.conf:
[adjust_flight_fields]
INGEST_EVAL = flight_id=Designator.Flight_no."_".strftime(strptime(Schedule_time_departure, "%Y-%m-%d %H:%M"), "%s"), registration_prefix:=if(isnull(registration_prefix), "", registration_prefix), Tail_no:=registration_prefix.Tail_no

i see the flight_id field under "selected fields" but when im trying to use it in search such as

index=* flight_id=dhdhd

i get no results.

also, if im searching for

flight_id !=fdfd
then im getting results without the id i selected

can someone tell me what is the problem ?

thanks

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

INGEST_EVAL creates index-time fields, searching for custom index-time fields is special. Either:

  • define the field as indexed in fields.conf and search using =
  • use tstats with =
  • search using :: instead of =, e.g. flight_id::dhdhd

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

INGEST_EVAL creates index-time fields, searching for custom index-time fields is special. Either:

  • define the field as indexed in fields.conf and search using =
  • use tstats with =
  • search using :: instead of =, e.g. flight_id::dhdhd

sarit_s
Communicator

thanks for your answer
i tried the third option but still no results
any suggestions ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Option 1, Option 2?

0 Karma

sarit_s
Communicator

didn't try option 1. the configuration placed in transforms.conf.
is there any difference ?

option 2 : this is the only way its returning any results :

| tstats count where flight_id=BY125_1567729200 index=prod sourcetype=flights

is there a way to return the event list instead of count number ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If tstats works then flight_id::TERM(BY125_1567729200) will work too.

0 Karma

sarit_s
Communicator

well.. this is the query :

index=prod sourcetype=flights flight_id::TERM(BY125_1567729200)

and it's returning no results

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Maybe it was TERM(flight_id::BY125_1567729200)

0 Karma

sarit_s
Communicator

still no results

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Paste the full search you are running.

0 Karma

sarit_s
Communicator

index=prod sourcetype=flights TERM(flight_id::BY125_1567729200)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Mkay, and without any TERM() around it?

0 Karma

sarit_s
Communicator

awesome ! thanks
please make it as answer so i will approve it

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Edited the answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...