Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Simple search not working but search for NOT != does work.

KeithH
Path Finder
‎04-07-2022 08:41 PM

Hi All,

I hope someone can enlighten me with this seemingly simple problem.

I have this very simple search return 32 rows and showing that all events have a transaction_type value.

KeithH_0-1649388935571.png

If I click on the D highlighted above I would expect it to show me just the 20 D rows but instead I get:

KeithH_1-1649388994612.png

Very weird.

If I change the search to 

 

index=orafin sourcetype=ORAFIN2 NOT transaction_type!=D

 

Then I get what I want:

KeithH_2-1649389196087.png

Can someone please explain what is happening?

Thanks, Keith

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KeithH
Path Finder
‎04-10-2022 09:43 PM

Hi Vatsal,

Thanks for that.  Your suggestion works.  I would have thought that Splunk would search on the field transaction_type which is extracted at search time as a single character field.  

Does this mean if I want to search on the field value (as opposed to words in the _raw) do I need to extract these at index time?

Thanks

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-07-2022 10:42 PM

@KeithH 

Can you please make sure there is No trailing space in transaction_type fields? Just execute below search and check the transaction_type_len, it should be 1 for value D.

index=orafin sourcetype=ORAFIN2 transaction_type="*"
| eval transaction_type_len = len(transaction_type) | table transaction_type transaction_type_len

 

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

KeithH
Path Finder
‎04-10-2022 09:37 PM

Hi Kamlesh,

Thanks for the suggestion.  I ran what you sent but it shows the field values as 1 byte long.  

KeithH_0-1649651866044.png

So its not htat.

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-07-2022 10:01 PM

@KeithH - Splunk is searching "D" in the _raw log (events). But in the event, it's not D as alone and that is the reason it is not working. If this is the case then use the following instead:

index=orafin sourcetype=ORAFIN2 transaction_type="D*"

 

I hope this helps!!!!

Reply
Solved! Jump to solution
Solution

KeithH
Path Finder
‎04-10-2022 09:43 PM

Hi Vatsal,

Thanks for that.  Your suggestion works.  I would have thought that Splunk would search on the field transaction_type which is extracted at search time as a single character field.  

Does this mean if I want to search on the field value (as opposed to words in the _raw) do I need to extract these at index time?

Thanks

Tags (1)
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-11-2022 03:02 AM

You can use index-time extraction if you want better performance.

Just make sure your search syntax will be something like the below:

index=orafin sourcetype=ORAFIN2 indexed_transaction_type::D

 

-----
If this was helpful, an upvote would be appreciated!!!

0 Karma
Reply
Solved! Jump to solution

KeithH
Path Finder
‎04-07-2022 08:44 PM

Oh - I am running Enterprise version 8.2.4

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...