We have a setup where Universal Forwarders send data to indexers and dedicated search heads search those indexers.
There is a lookup in $SPLUNK_HOME/etc/system/lookups which is used in $SPLUNK_HOME/etc/search/local/props.conf $SPLUNK_HOME/etc/search/local/transforms.conf that adds some fields to all events in Splunk (I moved props.conf and transforms.conf from system/local to the search app because I got errors when searching internal indexes on the search heads)
props.conf
[default]
LOOKUP-table = my_lookup IP_NAME AS host
transforms.conf
[my_lookup]
filename = mylist.csv
max_matches = 1
When I search, the fields correctly show up in the list of events in the flashtimeline view. But if I try to use one of the custom fields in my search not all of the events show up:
index="x" myOwnField=value earliest=07/28/2011:09:50:0 latest=07/28/2011:09:55:0
If I pipe the results through another search command and use my custom fields in the second search I get the results i expect:
index="x" earliest=07/28/2011:09:50:0 latest=07/28/2011:09:55:0 | search myOwnField=value
Has anyone else run across similar behaviour?
I believe this is your problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/