Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My search for a field=value returns 0 events when I know there should be events returned. Why?

the_wolverine
Champion
‎04-26-2010 08:52 PM

I have a search-time field extraction that shows up in my pick fields list and everything. The fields list is showing an event count for values that occur for that field. However, when I click on the field value, it returns 0 events.

My search-time extraction REGEX pulls out a portion of the token to return as a value. So, in my raw event, I have a token like a12345b where the value is actually 12345.

What is the problem?

Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-26-2010 08:54 PM

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-26-2010 09:35 PM

You just lost reputation point for doing that.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎04-26-2010 09:14 PM

I don't understand this question.

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-26-2010 08:54 PM

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎04-29-2010 09:06 AM

Its more common for this case to be hit when the extraction is based of off source, sourcetype, or host values. Not sure these comments apply in that situation.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-26-2010 10:01 PM

Well bad performance is better than not working at all. But indeed to skirt the performance issue for any particular field value 1234, you'd have to always do "myWholeField="1234*" myLittleField="1234", and that makes the whole thing look pretty silly. 😃

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-26-2010 09:28 PM

Another workaround that could work in rare cases is to modify segmentation settings so that the partial token is indexed as a full token. But the default probably already does this for any case that you're realistically likely to run into. It would not be a bad ER to ask for segmentation on letter/digit boundaries, which I believe is currently impossible to configure.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-26-2010 09:26 PM

I would strongly recommend against this solution as it will have an extremely adverse effect on search performance against this field. A much better fix is simply to search on myfield=*myvalue*, myfield=myvalue*, or myfield=*myvalue, as appropriate to your data.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...