Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Search Log SearchOperator:kv
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Search Log SearchOperator:kv
When I use the Job Inspector to view the Search Log of a completed search, I find hundreds of entries tagged: SearchOperator:kv that seem to have absolutely nothing to do with the sourcetype or datasource of the search ...
ie: I'll see hundreds of regexes that are from EXTRACT-blah-blah ... that are explicitly for other sourcetypes. I'm concerned that I have a configuration issue. Lately we've had some complaints about search performance and I'm currently wondering why all this unrelated noise in the search log? Is Splunk actually trying to perform search time extractions for data that doesn't match the sourcetype the extraction was intended for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont feel that this question has been answered yet. @MuS suggestions may work, but doesnt help in a large environment when things need to be global.
The big question here is why is splunk trying to do sourcetype extracts on a source that has nothing to do with the sourcetype being searched?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is hard to answer without any detailed knowledge of your setup. But I would start by checking for global permission of Apps and change it back to be App, next would be to check any rouge * entries in props.conf, last but not least run your searches in Fast Mode and add any needed field in the base search.
Hope this helps, even it might not be the solution
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey MuS. Seems as if what I am referring to are Calculated-Fields. I have asked this [question][1], I when I do searches on a sourcetype for example syslog, search.log reflects calculated-fields from other sourcetypes. I am looking about how to deactivate these calculated-fields in searching not pertaining to them. Thanks, Cam.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS I appreciate the answer, I will investigate these areas shortly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I too have this question, was hoping if any resolutions have been found. I am running into the same issue.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
