Splunk Search

My search for a field=value returns 0 events when I know there should be events returned. Why?

Champion

I have a search-time field extraction that shows up in my pick fields list and everything. The fields list is showing an event count for values that occur for that field. However, when I click on the field value, it returns 0 events.

My search-time extraction REGEX pulls out a portion of the token to return as a value. So, in my raw event, I have a token like a12345b where the value is actually 12345.

What is the problem?

1 Solution

Champion

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

View solution in original post

Champion

You just lost reputation point for doing that.

0 Karma

Splunk Employee
Splunk Employee

I don't understand this question.

Champion

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

View solution in original post

Splunk Employee
Splunk Employee

Its more common for this case to be hit when the extraction is based of off source, sourcetype, or host values. Not sure these comments apply in that situation.

0 Karma

SplunkTrust
SplunkTrust

Well bad performance is better than not working at all. But indeed to skirt the performance issue for any particular field value 1234, you'd have to always do "myWholeField="1234*" myLittleField="1234", and that makes the whole thing look pretty silly. 😃

0 Karma

Splunk Employee
Splunk Employee

Another workaround that could work in rare cases is to modify segmentation settings so that the partial token is indexed as a full token. But the default probably already does this for any case that you're realistically likely to run into. It would not be a bad ER to ask for segmentation on letter/digit boundaries, which I believe is currently impossible to configure.

0 Karma

Splunk Employee
Splunk Employee

I would strongly recommend against this solution as it will have an extremely adverse effect on search performance against this field. A much better fix is simply to search on myfield=*myvalue*, myfield=myvalue*, or myfield=*myvalue, as appropriate to your data.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!