Splunk Search

Why is my field with numeric values not giving results in my search?

patilsh
Explorer

Hello All,

I have a search which gives the below results:

alt text

As seen it has 100+ call id, now when i expand the callId field and select one value among it, i find no results found

alt text

Can anyone tell me why is it giving no results even when i am selecting the value directly from callId field?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Okay, here's the first two steps I'd use to diagnose the issue.

First, copy the callId from a particular record (for instance, the one you screen shotted, ending in 1255, into the search and see if the record is found.

If not, then add an asterisk on the end and try again, and also add quotes around the value and try again.

It's possible that the number is not being treated as numeric, in which case one or both of those should work.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, here's the first two steps I'd use to diagnose the issue.

First, copy the callId from a particular record (for instance, the one you screen shotted, ending in 1255, into the search and see if the record is found.

If not, then add an asterisk on the end and try again, and also add quotes around the value and try again.

It's possible that the number is not being treated as numeric, in which case one or both of those should work.

0 Karma

patilsh
Explorer

Hey

When i give it callId="30900099472115376270*" , this worked.
Now i dont understand , why is a * needed as the id is 30900099472115376270 and it has not preceding it.

So can you let me know why is * working there ?

Thanks for the help!!!

0 Karma

bhavikbhalodia
Path Finder

It seems that the format of the field callId is a string and contains space after the value of callId, because of that when you use ***** your problem is solved.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Basically, the search is either mistaking the format of the callId field, or misinterpreting it somehow.

Okay, try this after the search. If the length is more than 20, then the callId is being extracted with trailing spaces. Not supposed to happen, but maybe it is happening anyway.

| eval callLen = len(callId)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...