Hi,
I have some very strange behaviour from Splunk v4.3.3.
When I search for: index="something", splunk correctly performs all the required field extractions. In my case one such field extraction is a field named 'tla' (Three Letter Acronym).
Splunk displays all these field extractions for 'tla' as it should.... Within the event and also as 'interesting fields' on the left of the ui..
However, when the search is scoped down further eg. index="something" tla="CIS" (Either by typing this into the search dialogue or clicking on the tla="CIS" hyperlink in on a event) or anything else valid, Splunk returns no search results. Consequently index="something" tla="CIS*" works completely fine, it simply return a search result for tla="CIS".... Really odd!
A few other points:
There is no white space issue.
Running something like: index="something"|timechart count by tla works fine.
All the values for filed 'tla' are listed in the chsrt. Similar for tables, stats, etc.
I've also created a few other fields extractions (different name/regex) and the same thing happens.
There are no other occurrences on this issue. It seems related to only this particular index or sourcetype.
Index corruption?
Has anyone seems this before? Any ideas?
Thanks in advance,
Mark
Very familiar. What you're seeing is this: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
(it says at the end that it's fixed now - I don't know why it says that, it definitely isn't)