Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My search for a field=value returns 0 events when I know there should be events returned. Why?

the_wolverine
Champion
‎04-26-2010 08:52 PM

I have a search-time field extraction that shows up in my pick fields list and everything. The fields list is showing an event count for values that occur for that field. However, when I click on the field value, it returns 0 events.

My search-time extraction REGEX pulls out a portion of the token to return as a value. So, in my raw event, I have a token like a12345b where the value is actually 12345.

What is the problem?

Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-26-2010 08:54 PM

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-26-2010 09:35 PM

You just lost reputation point for doing that.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎04-26-2010 09:14 PM

I don't understand this question.

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-26-2010 08:54 PM

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎04-29-2010 09:06 AM

Its more common for this case to be hit when the extraction is based of off source, sourcetype, or host values. Not sure these comments apply in that situation.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-26-2010 10:01 PM

Well bad performance is better than not working at all. But indeed to skirt the performance issue for any particular field value 1234, you'd have to always do "myWholeField="1234*" myLittleField="1234", and that makes the whole thing look pretty silly. 😃

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-26-2010 09:28 PM

Another workaround that could work in rare cases is to modify segmentation settings so that the partial token is indexed as a full token. But the default probably already does this for any case that you're realistically likely to run into. It would not be a bad ER to ask for segmentation on letter/digit boundaries, which I believe is currently impossible to configure.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-26-2010 09:26 PM

I would strongly recommend against this solution as it will have an extremely adverse effect on search performance against this field. A much better fix is simply to search on myfield=*myvalue*, myfield=myvalue*, or myfield=*myvalue, as appropriate to your data.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...