×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jensguenther
New Member
Member since: ‎10-23-2018
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-23-2018
View All

Re: Why am I having trouble searching exact field ...

by in Getting Data In
‎10-23-2018 11:20 AM
‎10-23-2018 11:20 AM
thanks Mary! I checked that major and minor but got stuck somehow. However, we have this problem also on another field where we just put in plain simple single words with the exact same behavior. I checked the source generating the events: they look solid, no additional chars, all's OK. Honestly, I currently think of throwing the "fields" : {...} section away and just put everything into "event": "key=value"... ... View more

Re: Why am I having trouble searching exact field ...

by in Getting Data In
‎10-23-2018 10:51 AM
‎10-23-2018 10:51 AM
thanks 493669 ;). We thought about that double / tripple checking it and, well, nope :/. We thought also there's some crazy hidden char, we even recommitted our javascript generating the events - nothing. It is like it is. Is there any way to access the low level event data at the below data storage? Not _raw, we obviously tried that already. Maybe I've to wireshark it just before the indexer... ... View more

Why am I having trouble searching exact field valu...

by in Getting Data In
‎10-23-2018 08:27 AM
‎10-23-2018 08:27 AM
Hi Splunkers, I've got a strange problem over here: I got events indexed via the http event collector which behave strange when searched for exact field values. Let's say I got events with a field "domain" with value "example.org". Splunk reports those field/values correctly. Now, if I search for domain="example.org" Splunk returns no events at all. However, if I search for domain="*example.org*" Splunk returns all matching events. More funny, if I do * | eval dd=domain | search dd="example.org" Splunk returns all matching events. We do have this effect only on a few fields for this particular http collector stream. Here is an example of the (stripped) payload we send over {"event":"EventName","fields":{"domain":"example.org"}} Any ideas? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM