If I query with a wildcard, I get the expected result, but if I query with the actual field value, I get no results. Example: I get over 1000 results for the query:
index="..." splunk_server=* <some more conditions>
Many of the results have pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875-mb4wc" . But if I add that condition to the query (either manually or using the UI), I get no results:
index="..." splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875-mb4wc"
I do get results (same number as without specifying the field in the query), if I use a wildcard at this location or earlier:
index="..." splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875*"
index="..." splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb78*"
But I get no results if I add the wildcard later, for example:
index="..." splunk_server=* <some more conditions> pod_name="iwg-k8s-deployment-tom-17-aem-author-c4fdb7875-*"
Also, interesting is the following. Both pod_name = <value> and pod_name != <value> return no results, but removing the condition on pod_name returns the expected results (as initially stated).
What could be the reason?
... View more