Hey Splunk team,

I’m facing an issue where Splunk fails to search for certain key-value pairs in some events unless I use wildcards (*) in the value. Here's an example to illustrate the problem:

{
"xxxx_ID": "78901",
"ERROR": "Apples mangos lemons. Banana blackberry blackcurrant blueberry.",
"yyyy_NUM": "123456",
"PROCESS": "orange",
"timestamp": "yyyy-mm-ddThh:mm:ss"
}

Query Examples:
This works (using wildcards):

index="idx_xxxx"  *apples mangos lemons*

These don’t work:
-> index="idx_xxxx"  ERROR="Apples mangos lemons. Banana blackberry blackcurrant blueberry."
-> index="idx_xxxx"  ERROR=*apples mangos lemons*
-> The query below, using regex, does not include all error values trying to find any value after the ERROR key: 

index="idx_xxxx" 
| rex field=_raw "ERROR:\s*(?<error_detail>.+?)(?=;|$)"
| table error_detail

Observations:
Non-Latin characters are not the issue because of other events, for example, Greek text in the ERROR field is searchable without wildcards.
This behavior is inconsistent: some events allow exact matches, but others don’t.
Questions:
Could this issue stem from inconsistencies in the field extraction process?
Are there common pitfalls or misconfigurations during indexing or source-type assignments that might cause such behavior?
How can I debug and verify that the keys and values are properly extracted/indexed?
Any help would be greatly appreciated! Thank you!  ‌‌