Splunk Search

TAGS not showing in Field Discovery panel when a wildcard is used


I should mention that both the standard and wildcard tags both return search results, but the wildcard tag does not show up in the field discovery panel.
All of the following searches work:


Field Discovery Working:
Here's an example of a tag I've created which shows as a field in the format of tag::host.

Tag Name: QA
Field value pair: host=abcd.com

Field Discovery Not working:
When I add the wildcard to cover variations of the hostname i.e. short and long, the search works and returns results, but I do not see the field tag::host in the field discovery panel.

Tag Name: QA
Field value pair: host=abcd*



0 Karma


Wildcards are allowed from 6.x onwards as far as I know, but the tags still does not show in the field discovery panel.

I suspect that the field discovery panel receive its collection of fields before the tags are added to the event. The best is to log a Case with Splunk if you have a Support Contract.

0 Karma

New Member
0 Karma