That is correct. Splunk searches for the value first ( row ), then checks to see if it matches, because it's much more efficient. However, if the value is not indexed because it's not a word (or "token") then it won't be found. You can change this behavior in fields.conf for a particular field ( INDEXED_VALUE = false ) but this can severely hurt search performance for that field. You could instead search for " *row* ", which will be better, and you can abstract this away using a macro.
... View more