Searching with *string* will search for all the raw events containing string . For example if searched for *status* , splunk will output all the events which contains failed_status, success_status, status, status_failed, status_success
If you say status=fail* then splunk will look only in value of the field called status .
What do you mean by extracted for field?
Do you mean that extracted => the field will be lying in left under fields ..?
Yes. Under "INTERESTING FIELDS" column. After figuring out the name you want to use for status , you can extract a field with that name and use it for future searches.
... View more