When I'm indexing my logs, I extract a field called "file_date" from my source. The field is of the form 2013-07-31_01-05-08.
I have some problems when I want to search for a specific file_date.
Say I want to show all events where file_date = 2013-03-20_21-14-36, and I know that there are 71 events with that value.
If I search for this I get no matching events (I tried qoutes, escaping _ and -)
However, if I run a search for whatever before it works. Like this:
* | search file_date=2013-03-20_21-14-36 file_date=* | search file_date=2013-03-20_21-14-36
I have a total of 1525 different events, all with this field, and all of them are from this year (starts with 2013), if I run a search like these
file_date=* * | search file_date=2013*
I get 1525 events, but if I search for
I only get 72 events.
Does anybody know how to fix this problem?
(In case someone is wondering, the fields are extracted and are showing up in the fields list.
I also have an id field which is extracted in the same way, but only consist of 6 digits, and when I search for that field everything works as normal.)
It is possible that Splunk is not sure whether to treat the values as a number or a string.
Try defining it as a string after the extraction and before the search. See the details here: