×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
amanar98
New Member
Member since: ‎06-21-2023
‎12-21-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-21-2023
View All

Why do Bloom filters only work if written in quote...

by in Splunk Enterprise
‎06-21-2023 09:22 AM
‎06-21-2023 09:22 AM
Sample Log 16/Jan/2021:00:00:01 +0000 1111155317 madridES_20 90.180.XX.167 GET https www.cdn77.com /img/customers_logos_light.png 200 HIT 35532 41004 0.000 424923 Mozilla/5.0 (Linux; Android 4.4.2; SUNSET Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari https://www.cdn77.com/css/main.min.css V3 How Bloom filters work when written in quotes like this 1st Query -       index=some_index "Mobile Safari"       As per my understanding terms in logs break on major segmenters i.e. space here and make lexicon terms that are present in tsidx files on which bloom filters work. If I write the query like this  2nd Query -       index=some_index TERM(Mobile Safari)       It won't return any events as there is no Lexicon Term present in tsidx files like Mobile Safari as a whole. But the 1st query is returning the events having the string Mobile Safari. I want to understand how filter in double quotes is different from the one used inside TERM. How these filters are processed? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-21-2023 11:56 AM