I'm a newbie to Splunk, and I'm having difficulty with field definitions and searches.
My input data (from syslog) contains one field of a form such as ":ABC1234I:" which means component "ABC" generate log message ID 1234 at level I (info). This is parsed fairly easily using this REGEX:
(?i):(?P
The search shows Logger, Logno, and Sev under "interesting fields" as expected, and shows the set of values found for each one. All this seems fine.
But when I select one of the values under "Logger", I get no matches, despite it already listing some 26,000+ hits for that particular value.
The search term in this instance is
sourcetype="syslog" Logger="CGP"
What am I doing wrong?
What version of Splunk are you running? Your problem sounds very much like what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
But it's supposed to be fixed in 4.3.
Interesting. Something for the Splunk people to have a look at. If your issue is solved, could you mark my answer as accepted? Thanks!
The solution described using that link worked. Thanks for the quick response.
I am using a fresh install of 4.3.1. I can move fields.conf out of the way and rerun a search and it will fail, so clearly the issue still exists with 4.3.1, with the same solution.