My automatic lookup field is not searchable unless...

katelynengel · ‎05-13-2014

I am trying to run the following search in Splunk:

index=index1 sourcetype=sourcetype1 bldg=XI

The bldg field is an automatic lookup field and exists in 100% of the events for index=index1 & sourcetype=sourcetype1. However, when I run this search, I only get back less then 1% of the results I would expect.

When I run the search as follows, I get back all of the results I am looking for.

index=index1 sourcetype=sourcetype1 | search bldg=XI

Why do I need to pipe search to get the correct results?

I am using Splunk 6.0.2

TaylorWhitt · ‎02-07-2015

It sounds like you don't have a field extraction set up for bldg. The following documentation will explain why, a lot better than I can.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/WhenSplunkEnterpriseaddsfields
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Indextimeversussearchtime

Default field extractions have to be common to every entry. By identifying the different sourcetype and index, is making the bldg field common to all entries. Then you're performing another search where your string would match.

I could be wrong, but I am going to guess there is an entry where bldg has a value with a space in it?

katelynengel · ‎05-13-2014

There must be an invisible space in my lookup table because when I run the search as follows, it works as expected:

index=index1 sourcetype=sourcetype1 bldg=XI*

katelynengel · ‎05-13-2014

That still doesn't answer though why it works without the * if I | search.

My automatic lookup field is not searchable unless I pipe search for it.

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...