Splunk Search

Why is my field with numeric values not giving results in my search?

Explorer

Hello All,

I have a search which gives the below results:

alt text

As seen it has 100+ call id, now when i expand the callId field and select one value among it, i find no results found

alt text

Can anyone tell me why is it giving no results even when i am selecting the value directly from callId field?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Okay, here's the first two steps I'd use to diagnose the issue.

First, copy the callId from a particular record (for instance, the one you screen shotted, ending in 1255, into the search and see if the record is found.

If not, then add an asterisk on the end and try again, and also add quotes around the value and try again.

It's possible that the number is not being treated as numeric, in which case one or both of those should work.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Okay, here's the first two steps I'd use to diagnose the issue.

First, copy the callId from a particular record (for instance, the one you screen shotted, ending in 1255, into the search and see if the record is found.

If not, then add an asterisk on the end and try again, and also add quotes around the value and try again.

It's possible that the number is not being treated as numeric, in which case one or both of those should work.

View solution in original post

0 Karma

Explorer

Hey

When i give it callId="30900099472115376270*" , this worked.
Now i dont understand , why is a * needed as the id is 30900099472115376270 and it has not preceding it.

So can you let me know why is * working there ?

Thanks for the help!!!

0 Karma

Path Finder

It seems that the format of the field callId is a string and contains space after the value of callId, because of that when you use ***** your problem is solved.

0 Karma

SplunkTrust
SplunkTrust

Basically, the search is either mistaking the format of the callId field, or misinterpreting it somehow.

Okay, try this after the search. If the length is more than 20, then the callId is being extracted with trailing spaces. Not supposed to happen, but maybe it is happening anyway.

| eval callLen = len(callId)
0 Karma