Simply query, failes with field specificity

tlmayes · ‎11-29-2021

I have what should be a simple problem, but I don't have an answer without burning some brain cells

Simple query example: index=some_index sourcetype=some_sourcetype. Returns 140k events

Output of the query above contains the field 'tag', with 7 values, x 30K+ events

But if I use the query: index=some_index sourcetype=some_sourcetype tag="*"

I get 'zero', no results

PickleRick · ‎11-29-2021

"tag" is an internal splunk's "meta-field". Tags are applied to events based on field values and are mostly used to create common search criteria for various types of events. So if your events indeed have a field called tag, it overlaps with the "field" name used internally by splunk.

For the same reason you shouldn't use fields named "index", "source" or "sourcetype". I suppose "eventtype" could also cause problems.

yuanliu · ‎11-29-2021

One possibility is that 'tag' is a calculated field. Open Settings -> Fields -> Calculated fields to see if this this the case. (If the field is partially ingested/transformed and partially calculated, the results can be even more puzzling.)

Simply query, failes with field specificity

fields

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...