Splunk Search

TAGS not showing in Field Discovery panel when a wildcard is used

Rob_Jordan
Explorer

I should mention that both the standard and wildcard tags both return search results, but the wildcard tag does not show up in the field discovery panel.
All of the following searches work:

tag=QA
tag=*
tag::host=QA
tag::host=*

Field Discovery Working:
Here's an example of a tag I've created which shows as a field in the format of tag::host.

Tag Name: QA
Field value pair: host=abcd.com

Field Discovery Not working:
When I add the wildcard to cover variations of the hostname i.e. short and long, the search works and returns results, but I do not see the field tag::host in the field discovery panel.

Tag Name: QA
Field value pair: host=abcd*

Thanks,

Rob

0 Karma

bkahlerventer
Explorer

Wildcards are allowed from 6.x onwards as far as I know, but the tags still does not show in the field discovery panel.

I suspect that the field discovery panel receive its collection of fields before the tags are added to the event. The best is to log a Case with Splunk if you have a Support Contract.

0 Karma

mrodriguez360
New Member
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...