Solved: Why can't I search for my extracted field?

mctester · ‎09-15-2010

I have a store field brought in by a scripted lookup. it shows up when i do a search for sourcetype=foo, I can even stats count by store. but I can't search store=bar on the search bar... ?!

I thought that that this only happened for extracted fields where the value is not in the actual event

Jason · ‎09-15-2010

By default, Splunk will expand store=bar into (bar AND store=bar). If bar doesn't exist in your event, the event will not be returned.

If this is because store is an extracted field or lookup-based field, tell Splunk to not search for the text in the event by editing fields.conf:

[store]
INDEXED_VALUE = false

View solution in original post

Christian · ‎09-16-2010

Hi,

or just use the therm store::bar

greez christian

Jason · ‎09-15-2010

By default, Splunk will expand store=bar into (bar AND store=bar). If bar doesn't exist in your event, the event will not be returned.

If this is because store is an extracted field or lookup-based field, tell Splunk to not search for the text in the event by editing fields.conf:

[store]
INDEXED_VALUE = false

Why can't I search for my extracted field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases