Re: Simply query, failes with field specificity

tlmayes · ‎11-29-2021

I have what should be a simple problem, but I don't have an answer without burning some brain cells

Simple query example: index=some_index sourcetype=some_sourcetype. Returns 140k events

Output of the query above contains the field 'tag', with 7 values, x 30K+ events

But if I use the query: index=some_index sourcetype=some_sourcetype tag="*"

I get 'zero', no results

PickleRick · ‎11-29-2021

"tag" is an internal splunk's "meta-field". Tags are applied to events based on field values and are mostly used to create common search criteria for various types of events. So if your events indeed have a field called tag, it overlaps with the "field" name used internally by splunk.

For the same reason you shouldn't use fields named "index", "source" or "sourcetype". I suppose "eventtype" could also cause problems.

yuanliu · ‎11-29-2021

One possibility is that 'tag' is a calculated field. Open Settings -> Fields -> Calculated fields to see if this this the case. (If the field is partially ingested/transformed and partially calculated, the results can be even more puzzling.)

Simply query, failes with field specificity

fields

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...