Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why query with wildcard works, but not with actual value?

thomasmuellergr
Engager
‎12-19-2018 12:27 AM

If I query with a wildcard, I get the expected result, but if I query with the actual field value, I get no results. Example: I get over 1000 results for the query:

index="..."  splunk_server=* <some more conditions>

Many of the results have pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875-mb4wc". But if I add that condition to the query (either manually or using the UI), I get no results:

index="..."  splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875-mb4wc"

I do get results (same number as without specifying the field in the query), if I use a wildcard at this location or earlier:

index="..."  splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875*"

index="..."  splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb78*"

But I get no results if I add the wildcard later, for example:

index="..."  splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875-*"

Also, interesting is the following. Both pod_name = <value> and pod_name != <value> return no results, but removing the condition on pod_name returns the expected results (as initially stated).

What could be the reason?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thomasmuellergr
Engager
‎12-21-2018 12:48 AM

The solution was to change the format for events to what is described in the Splunk documentation, so that "auto-extraction of fields during search" is not needed.

After changing the event format, everything works as expected!

Before, it looks like search was done on the raw input (possibly based on some kind of fulltext index), and not on the extracted fields. The auto-extraction happened correctly (which confused me), but it happened after search, so searching by field value was somewhat hit-and-miss.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thomasmuellergr
Engager
‎12-21-2018 12:48 AM

The solution was to change the format for events to what is described in the Splunk documentation, so that "auto-extraction of fields during search" is not needed.

After changing the event format, everything works as expected!

Before, it looks like search was done on the raw input (possibly based on some kind of fulltext index), and not on the extracted fields. The auto-extraction happened correctly (which confused me), but it happened after search, so searching by field value was somewhat hit-and-miss.

0 Karma
Reply
Solved! Jump to solution

omera
Explorer
‎04-25-2022 05:11 AM

Hi Thomas, can you give a detailed explanation on how you changed the format for events? It would be superb if you gave us the splunk docs link. We are experiencing the same issue.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2018 05:38 AM

@thomasmuellergraf If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

anthonymelita
Contributor
‎12-20-2018 05:57 PM

I've seen similar behavior where in a normal search Splunk is auto-extracting the field name. However when you try to specify the field in the search it seems to happen before the auto-extraction and therefore you get no events because the field doesn't exist and you are requiring it by the search command. You may need to configure a field extraction in that case.
The part about positioning the wildcard is odd and I have not suggestion based on that.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...