Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search results not displayed when using certain fields in the initial search string

Blu3fish
Path Finder
‎09-21-2010 09:51 PM

This is probably pretty straightforward but on my search head the following will not return any results:

index=train sourcetype=transcript slotID=1234

whereas the following will:

index=train sourcetype=transcript | search slotID=1234

slotID is a unique field extracted via props/transforms. Permissions are defined as read:everyone, write:admin What am I doing wrong?

Note that for other searches, I can query a unique field and it results will be returned: index=train sourcetype=transcript status=running (here "status" is extracted via the same props/transforms mechanism)

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-21-2010 10:36 PM

This typically happens for two reasons.

  1. The value of slotID, here "1234", is not searchable on its own. We optimize searches by replacing the equality with the value, and post-filter. If this is the case, you can mark "slotID" as "INDEXED_VALUE = false" in fields.conf.
  2. If the slotID extraction is configured via an eventtype in props.conf, it will be extracted, but not searchable in the first search clause. There is no workaround for this.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-21-2010 10:36 PM

This typically happens for two reasons.

  1. The value of slotID, here "1234", is not searchable on its own. We optimize searches by replacing the equality with the value, and post-filter. If this is the case, you can mark "slotID" as "INDEXED_VALUE = false" in fields.conf.
  2. If the slotID extraction is configured via an eventtype in props.conf, it will be extracted, but not searchable in the first search clause. There is no workaround for this.
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...