I have a field defined in a transform. The field appears to work fine in a chart, whatever, but to put it in a field i have to put fieldfoo="value*" , even though the value has no characters (not even a space, I checked, after the "e" in this case.
To make it even weirder, there is an alias to this field (for backward compatibliity for some old searches, and that one works fine....
Might this field contain a value that isn't part of indexed data, or only part of a token in indexed data? For instance, in the first case, the field could have been extracted in something like this manner:
[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext
...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.
Or, in the second case, the extraction would look something like this:
[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1
If any of these apply to your extraction, you are very likely seeing the effects of what is described in detail in this excellent blog post: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
You shouldn't set INDEXED=true because it's not an indexed field. I know the docs (and the blog post I linked to) say that Splunk should be able to handle this situation by itself now, so you won't have to set indexed_value yourself, however that simply doesn't seem to be true. Try just setting INDEXED_VALUE to false without setting INDEXED=true.
put this in two comments for length 🙂
then I have this in props.conf:
REPORT-frameworkparts = framework-parts,framework-threadname-parts,rmdirect-structuredlog,rmdirect-structuredlog-props,rm-framework-event-type
[threadname]
INDEXED=true
INDEXED_VALUE=false
that's interesting, so I tried indexed_value=false, didn't fix it. The fields.conf spec indicates this is only applicable for an index=false, which this field is indexed=true.
here's the deal, I have a transform (in transforms.conf of this app).
[framework-parts]
FORMAT = $0 loglevel::"$1" threadname::"$2" logger::"$3" user::"$4" rmrealm::"$5" processid::"$6" messageid::"$7"
REGEX = ([A-Z]+)\s+[(.?)]\s+(.?)\s+((.?@(.?)|.?))\s+((.?))\s+((.*?))