- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I getting "No Results Found" when searching...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why am I getting "No Results Found" when searching for tag I set on a field created with eval or inline field extraction?
So I have the search:
index=testIndex1 | eval newField=userName+age
I look through the results, set the newField as a selected field so that it can be tagged, and then create a few tags. I then want to search for a tag I just made, tag1. So I try these searches:
index=testIndex1 | eval newField=userName+age | search 'tag::newField'=tag1
index=testIndex1 | eval newField=userName+age | search tag=tag1
But I get "No Results Found" in both cases, what gives? I know the tag exists, because when I go back to the original search, I can see it.
Similarly, when I try to do inline named field extraction and tag based on those fields, I get the same results:
index=testIndex1| rex field=source "/var/log/(?<extractedField1>.*)/(?<extractedField2>.*)/(?<user>.*)/output.log" | search 'tag::user'=fred
I'm thinking there is some order issue with eval/extractions and tags?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the field extraction case, I tried placing the field extractions in a props.conf file for the app and I can now search for tags based on those extracted fields, but I still can't seem to get search with inline extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The problem is not at the level of tag but it's at the level of the function eval.
The function eval work only with fields that have numericals values. So when you do this |eval newField=userName+age, if the values of field "userName" are not all numerics, you'll allways get "No Results Found".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer NOUMSSI, but I don't believe your statement to be true. If I put index=testIndex1 | eval newField=userName+age I get results. The eval is a new field that is the concatenation of the 2 other string fields. For example, "bob57" I could have also used the "." operator for concat(in place of the "+"), but the result is the same.
See http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Usetheevalcommandandfunctions Example #2 is similar to this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, if your theory were correct, it doesn't explain why field extraction based tagging isn't working as expected either.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
