Hey Splunk team, I’m facing an issue where Splunk fails to search for certain key-value pairs in some events unless I use wildcards (*) in the value. Here's an example to illustrate the problem: { "xxxx_ID": "78901", "ERROR": "Apples mangos lemons. Banana blackberry blackcurrant blueberry.", "yyyy_NUM": "123456", "PROCESS": "orange", "timestamp": "yyyy-mm-ddThh:mm:ss" } Query Examples: This works (using wildcards): index="idx_xxxx" *apples mangos lemons* These don’t work: -> index="idx_xxxx"  ERROR="Apples mangos lemons. Banana blackberry blackcurrant blueberry." -> index="idx_xxxx"  ERROR=*apples mangos lemons* -> The query below, using regex, does not include all error values trying to find any value after the ERROR key:  index="idx_xxxx" | rex field=_raw "ERROR:\s*(?<error_detail>.+?)(?=;|$)" | table error_detail Observations: Non-Latin characters are not the issue because of other events, for example, Greek text in the ERROR field is searchable without wildcards. This behavior is inconsistent: some events allow exact matches, but others don’t. Questions: Could this issue stem from inconsistencies in the field extraction process? Are there common pitfalls or misconfigurations during indexing or source-type assignments that might cause such behavior? How can I debug and verify that the keys and values are properly extracted/indexed? Any help would be greatly appreciated! Thank you!  ‌‌ ... View more