Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Simple search not working but search for NOT != does work.

KeithH
Communicator
‎04-07-2022 08:41 PM

Hi All,

I hope someone can enlighten me with this seemingly simple problem.

I have this very simple search return 32 rows and showing that all events have a transaction_type value.

KeithH_0-1649388935571.png

If I click on the D highlighted above I would expect it to show me just the 20 D rows but instead I get:

KeithH_1-1649388994612.png

Very weird.

If I change the search to 

 

index=orafin sourcetype=ORAFIN2 NOT transaction_type!=D

 

Then I get what I want:

KeithH_2-1649389196087.png

Can someone please explain what is happening?

Thanks, Keith

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KeithH
Communicator
‎04-10-2022 09:43 PM

Hi Vatsal,

Thanks for that.  Your suggestion works.  I would have thought that Splunk would search on the field transaction_type which is extracted at search time as a single character field.  

Does this mean if I want to search on the field value (as opposed to words in the _raw) do I need to extract these at index time?

Thanks

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-07-2022 10:42 PM

@KeithH 

Can you please make sure there is No trailing space in transaction_type fields? Just execute below search and check the transaction_type_len, it should be 1 for value D.

index=orafin sourcetype=ORAFIN2 transaction_type="*"
| eval transaction_type_len = len(transaction_type) | table transaction_type transaction_type_len

 

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

KeithH
Communicator
‎04-10-2022 09:37 PM

Hi Kamlesh,

Thanks for the suggestion.  I ran what you sent but it shows the field values as 1 byte long.  

KeithH_0-1649651866044.png

So its not htat.

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-07-2022 10:01 PM

@KeithH - Splunk is searching "D" in the _raw log (events). But in the event, it's not D as alone and that is the reason it is not working. If this is the case then use the following instead:

index=orafin sourcetype=ORAFIN2 transaction_type="D*"

 

I hope this helps!!!!

Reply
Solved! Jump to solution
Solution

KeithH
Communicator
‎04-10-2022 09:43 PM

Hi Vatsal,

Thanks for that.  Your suggestion works.  I would have thought that Splunk would search on the field transaction_type which is extracted at search time as a single character field.  

Does this mean if I want to search on the field value (as opposed to words in the _raw) do I need to extract these at index time?

Thanks

Tags (1)
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-11-2022 03:02 AM

You can use index-time extraction if you want better performance.

Just make sure your search syntax will be something like the below:

index=orafin sourcetype=ORAFIN2 indexed_transaction_type::D

 

-----
If this was helpful, an upvote would be appreciated!!!

0 Karma
Reply
Solved! Jump to solution

KeithH
Communicator
‎04-07-2022 08:44 PM

Oh - I am running Enterprise version 8.2.4

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...