Hello, I'm trying to understand the behavior of a basic query as the one below (I've ingested a JSON dataset):   index=main syswow64   This will return me many events as I got events with a field path with a value of  c:\windows\syswow64\ws2_32.dll. Reading the documentation, I understood that not specifying a field will actually query the _raw field, so my first guess was that the above query is equivalent to   index=main _raw=syswow64    However the above does not return any event as opposed to    index=main _raw=*syswow64*   So I then thought that it was actually adding wildcards by default to perform the search on the _raw field, however the below seems to indicate that it does not:     # This will not return any event index=main yswow64 # This will return events index=main _raw=*yswow64*   So it looks like when not specifying any fields, I can actually search for "words", but I cannot when specifying a field name (ie. _raw= or path=). I'm not sure to understand the concept behind this. Can someone please explain the Splunk behavior and why is this happening? Also, which is the query that is the most optimized to search the existence of syswow64 for path between the two   index=main syswow64 # this might return more events if syswow64 word is existing in another field index=main path=*syswow64*     Thank you! ... View more