The following searches' results contain events with the field, FUNCTIONAL_AREA_NAME="Minute Maid"
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)"
When I add FUNCTIONAL_AREA_NAME="Minute Maid" to the search above to narrow down. The search does not show any results at all.
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)" FUNCTIONAL_AREA_NAME="Minute Maid"
The search above shows no results but take out the field = minute maid and there are results with the minute maid field.
I have a field extraction pulling the _mm or _spmm to created the field, FUNC_AREA_ABR for functional area abbreviation and then I have anautomatic lookup table which takes FUNC_AREA_ABR and OUTPUTNEW FUNCTIONAL_AREA_NAME which is "Minute Maid"
Here is the field extraction: EXTRACT-FUNC_AREA_ABR = (?i)p(?P<FUNC_AREA_ABR>_\D+)
This pull the _mm off of sap_mm01234 or _sp on sap_spmm1234.
Wy aren't the results showing? Please help. Thanks!
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Does this search work?
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)" FUNCTIONAL_AREA_NAME=* | search FUNCTIONAL_AREA_NAME="Minute Maid"
If so, the solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[FUNCTIONAL_AREA_NAME]
INDEXED_VALUE = false
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Does this search work?
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)" FUNCTIONAL_AREA_NAME=* | search FUNCTIONAL_AREA_NAME="Minute Maid"
If so, the solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[FUNCTIONAL_AREA_NAME]
INDEXED_VALUE = false
Thank you!