Splunk Search

Problem with search for field=value



When I'm indexing my logs, I extract a field called "file_date" from my source. The field is of the form 2013-07-31_01-05-08.

I have some problems when I want to search for a specific file_date.
Say I want to show all events where file_date = 2013-03-20_21-14-36, and I know that there are 71 events with that value.

If I search for this I get no matching events (I tried qoutes, escaping _ and -)


However, if I run a search for whatever before it works. Like this:

* | search file_date=2013-03-20_21-14-36
file_date=* | search file_date=2013-03-20_21-14-36

I have a total of 1525 different events, all with this field, and all of them are from this year (starts with 2013), if I run a search like these

* | search file_date=2013*

I get 1525 events, but if I search for


I only get 72 events.

Does anybody know how to fix this problem?

(In case someone is wondering, the fields are extracted and are showing up in the fields list.
I also have an id field which is extracted in the same way, but only consist of 6 digits, and when I search for that field everything works as normal.)

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Try file_date=TERM(2013-03-20_21-14-36). More details here:


0 Karma

0 Karma

Super Champion

It is possible that Splunk is not sure whether to treat the values as a number or a string.

Try defining it as a string after the extraction and before the search. See the details here:

0 Karma