Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Simple search not working but search for NOT != does work.

KeithH
Communicator
‎04-07-2022 08:41 PM

Hi All,

I hope someone can enlighten me with this seemingly simple problem.

I have this very simple search return 32 rows and showing that all events have a transaction_type value.

KeithH_0-1649388935571.png

If I click on the D highlighted above I would expect it to show me just the 20 D rows but instead I get:

KeithH_1-1649388994612.png

Very weird.

If I change the search to 

 

index=orafin sourcetype=ORAFIN2 NOT transaction_type!=D

 

Then I get what I want:

KeithH_2-1649389196087.png

Can someone please explain what is happening?

Thanks, Keith

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KeithH
Communicator
‎04-10-2022 09:43 PM

Hi Vatsal,

Thanks for that.  Your suggestion works.  I would have thought that Splunk would search on the field transaction_type which is extracted at search time as a single character field.  

Does this mean if I want to search on the field value (as opposed to words in the _raw) do I need to extract these at index time?

Thanks

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-07-2022 10:42 PM

@KeithH 

Can you please make sure there is No trailing space in transaction_type fields? Just execute below search and check the transaction_type_len, it should be 1 for value D.

index=orafin sourcetype=ORAFIN2 transaction_type="*"
| eval transaction_type_len = len(transaction_type) | table transaction_type transaction_type_len

 

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

KeithH
Communicator
‎04-10-2022 09:37 PM

Hi Kamlesh,

Thanks for the suggestion.  I ran what you sent but it shows the field values as 1 byte long.  

KeithH_0-1649651866044.png

So its not htat.

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-07-2022 10:01 PM

@KeithH - Splunk is searching "D" in the _raw log (events). But in the event, it's not D as alone and that is the reason it is not working. If this is the case then use the following instead:

index=orafin sourcetype=ORAFIN2 transaction_type="D*"

 

I hope this helps!!!!

Reply
Solved! Jump to solution
Solution

KeithH
Communicator
‎04-10-2022 09:43 PM

Hi Vatsal,

Thanks for that.  Your suggestion works.  I would have thought that Splunk would search on the field transaction_type which is extracted at search time as a single character field.  

Does this mean if I want to search on the field value (as opposed to words in the _raw) do I need to extract these at index time?

Thanks

Tags (1)
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-11-2022 03:02 AM

You can use index-time extraction if you want better performance.

Just make sure your search syntax will be something like the below:

index=orafin sourcetype=ORAFIN2 indexed_transaction_type::D

 

-----
If this was helpful, an upvote would be appreciated!!!

0 Karma
Reply
Solved! Jump to solution

KeithH
Communicator
‎04-07-2022 08:44 PM

Oh - I am running Enterprise version 8.2.4

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...