Splunk Search

Why do I get a different number of results when filtering based on variations of the same lookup field value?



Splunk is acting strangely and it's something I've never encountered before. I will try to simplify my explanation as best as possible.

At extraction time I have two automatic lookups. The first lookup produces a new field called group and this field is used to extract, in conjunction with a field extraction, a field from the second lookup named process. Permissions are set correctly for all objects and associated to the host. When searching the index without any filters all fields appear correctly.

If I try to filter a specific value for the field process obtained from the second lookup, it does not work as expected. For example, I have a field value Journal Posting. I know that 109 entries contain this field value. Here is where it gets strange:

  • If I run index=index_name process="Journal Posting" splunk returns 15 results.
  • If I run index=index_name process="Journal*" splunk returns 16 results.
  • If I run index=index_name process="Jo*" splunk returns 56 results.
  • If I run index=index_name process="J*" splunk returns 109 results.
  • If I run index=index_name process="*Journal Posting*" splunk returns 109 results.

I have no idea why it does this. Is it a memory issue? Are there any configuration checks that I should make?

Any help would be greatly appreciated.

Best regards,


Tags (1)
0 Karma


Are you executing your search for a exact time-range ? or realtime moving windows / last 5 min ,15min etc ?

from the time-range picker specify a fixed time-range and try ...

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...