Splunk Search

My search for a field=value returns 0 events when I know there should be events returned. Why?

the_wolverine
Champion

I have a search-time field extraction that shows up in my pick fields list and everything. The fields list is showing an event count for values that occur for that field. However, when I click on the field value, it returns 0 events.

My search-time extraction REGEX pulls out a portion of the token to return as a value. So, in my raw event, I have a token like a12345b where the value is actually 12345.

What is the problem?

1 Solution

the_wolverine
Champion

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

View solution in original post

the_wolverine
Champion

You just lost reputation point for doing that.

0 Karma

Simeon
Splunk Employee
Splunk Employee

I don't understand this question.

the_wolverine
Champion

There is an additional configuration required when you have an extraction configured to pull a value out of a subtoken. Its a simple edit to fields.conf:

[field_name]
INDEXED=False
INDEXED_VALUE=False

Note that this may impact search performance for this particular field.

Dan
Splunk Employee
Splunk Employee

Its more common for this case to be hit when the extraction is based of off source, sourcetype, or host values. Not sure these comments apply in that situation.

0 Karma

sideview
SplunkTrust
SplunkTrust

Well bad performance is better than not working at all. But indeed to skirt the performance issue for any particular field value 1234, you'd have to always do "myWholeField="1234*" myLittleField="1234", and that makes the whole thing look pretty silly. 😃

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Another workaround that could work in rare cases is to modify segmentation settings so that the partial token is indexed as a full token. But the default probably already does this for any case that you're realistically likely to run into. It would not be a bad ER to ask for segmentation on letter/digit boundaries, which I believe is currently impossible to configure.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I would strongly recommend against this solution as it will have an extremely adverse effect on search performance against this field. A much better fix is simply to search on myfield=*myvalue*, myfield=myvalue*, or myfield=*myvalue, as appropriate to your data.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...