New findings: I played around with test data a bit more. Getting an interesting outcome. splunk version is 8.2.0 in this case.  Input field: "Country" Calculated field: ctry = tostring(Country) Filter by "Country" --> filter does not work / results as described here   Filter by "ctry" --> filter does work / results are displayed properly   It seems i can work around it with setting the field data type to "string". Is there a way to define all fields of an index? ... View more

Thanks! I'll do so! ... View more

Hi!  Sorry, if i was not clear. I do have different versions in my lab. All are basic Ubuntu with splunk installed the same way. I'm using the same version of test script in every VM. So far my findings are: 8.2.0: issue exists 8.1.4: working 8.1.3: working 8.0.0: working 7.2.0: issue exists ... View more

it does seem, all values are singles:   still seeing the issue. This is splunk 7.2.0 now.     ... View more

Hi! My Ubuntus were 8.2.0 from scratch, Windows was updated. I'll retry this week and give an update here. ... View more

8.2.0 seems to break my searches on windows and ubuntu. interesting. ... View more

Just rolled back my Splunk on Windows to 8.1.3 --> works perfectly. with the same input script. 8.2.0 on Ubuntu still no chance. Fresh installed system. ... View more

< index = "dt_test" "Test value"=*Yes* > does include "Yes", "Yesa" and "Yesb" now, of course.  < index = "dt_test" "Test value"=Yes > does not include anything ... View more

Adding the asterisks actually does do the trick in terms of filtering. It does bring new perks, of course.  Data is created via a simple script. Just sending json over. The script i am testing with just now is:       $Counter = 1 do { $TestValueArray=@( "Yes", "No", "No", "No", "No", "Yesa", "No", "Yesa", "No", "No", "Yesb", "No", "No" ) $TestValue = $TestValueArray[(Get-Random –Minimum 0 –Maximum 12)] $json = @" { "host": "Test", "index": "dt_test", "event": "Status Report Log Entry created for Test", "fields": { "Test Value": "$TestValue" } } "@ $Headers = @{ Authorization = "Splunk c39425b6-380b-46f0-b705-f381b046a031" ContentType = "application/json" } #write-host "Invoke-WebRequest -Uri "http://10.10.10.39:8088/services/collector" -Method "POST" -Body $json -Headers $Headers" Invoke-WebRequest -Uri "http://10.10.10.39:8088/services/collector" -Method "POST" -Body $json -Headers $Headers | Out-Null $counter = $counter + 1 } until ($counter -gt 1000)   ... View more

Chaps, thank you for your support so far. I did not get the time to try your recommendations, but will do so next week. I'll update then!  ... View more