Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search does not return results for some values of one character extracted field

hmozaffari
Path Finder
‎07-07-2015 07:46 AM

I have defined an extracted field called "log_level" which holds one character values ("E","W,"I"). The definition of extracted field is fine and Splunk correctly identify them, group them and show the counts in left side summary box when I search for all events.

But when I search for certain values, even though they exist, Splunk doesn't return any result. For example log_level="E" and log_level="I" returns results but log_level="W" doesn't. I thought it might be related to popularity of those values but it doesn't. In my source 1% of records have "E" value, 9% "W" and 90% "I" value.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 08:03 AM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 08:03 AM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false
Reply
Solved! Jump to solution

hmozaffari
Path Finder
‎07-07-2015 09:43 AM

Thanks. It resolved it!
Just a hint for others. If your extracted field name is "EXTRACT-MyField" remove the EXTRACT prefix and just refer to it as "[MyField]"

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...