These two searches don't return the same thing, and I think they should. The first one returns nothing, the second one returns some events.
In other words, clearly I have some events which contain toto3. Search2 proves it, but they are not returned by search1 when I would expect them to be. Does anybody know how this can be possible?
A search like this:
does not perform a substring search. It performs a search for a word (technically a segment) that is equal to "toto3", as in
toto3 is in my event. To perform a substring search in Splunk, you use the wildcards like your second search or like what @sanjay.shrestha posted:
This finds toto3 when it is inside a segment but does not make up the complete segment, like
toto3isin my event.
So the answer to your question is that the substring search is not failing.
index=abc toto3 is not a substring search, but
index=abc *toto3* is.