Splunk Search

Simply query, failes with field specificity

tlmayes
Contributor

I have what should be a simple problem, but I don't have an answer without burning some brain cells

Simple query example:  index=some_index sourcetype=some_sourcetype.  Returns 140k events

Output of the query above contains the field 'tag', with 7 values, x 30K+ events 

But if I use the query: index=some_index sourcetype=some_sourcetype tag="*"

I get 'zero', no results

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

"tag" is an internal splunk's "meta-field". Tags are applied to events based on field values and are mostly used to create common search criteria for various types of events. So if your events indeed have a field called tag, it overlaps with the "field" name used internally by splunk.

For the same reason you shouldn't use fields named "index", "source" or "sourcetype". I suppose "eventtype" could also cause problems.

yuanliu
SplunkTrust
SplunkTrust

One possibility is that 'tag' is a calculated field.  Open Settings ->  Fields -> Calculated fields to see if this this the case.  (If the field is partially ingested/transformed and partially calculated, the results can be even more puzzling.)

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...