No results without using wildcard in messagetype i...

mwinkel · ‎08-15-2017

Hi,
It seems I cannot get any search results without including a wildcard in messagetype.
More specifically:
After searching for messagetype="proposal", no events are shown.
Searching for messagetype="*proposal", events are shown.
Further research also showed that there aren't any special characters involved in the problem.

This is the complete query:

index="*-closecl-*" application="closecl" component="closecl-bfl-ws" 
environment=*
transactionType="notifyParty" messageType="*proposal" | dedup TranID sortby +_time| lookup CloseCLDossierMetaData uid as TranID OUTPUTNEW uid CustomerCode, ProductType, GrossCreditAmount, LabelCode, ProductCode, SourceSystem  | timechart minspan=1d bins=60  dc(TranID) as count | fillnull

Thanks in advance!

updated by dmj to mark code

sbbadri · ‎08-15-2017

index="-closecl-" application="closecl" component="closecl-bfl-ws" environment=* transactionType="notifyParty" messageType="proposal" | eval messageType=trim(messageType) | rest of your query

DalJeanis · ‎08-15-2017

@sbbadri - be sure to mark your code, please.

DalJeanis · ‎08-15-2017

Run this and post the results, please...

  index="*-closecl-*" application="closecl" component="closecl-bfl-ws"  environment=*
  transactionType="notifyParty" messageType="*proposal"
 | eval myproposal="---".messageType."---"
 | stats count by myproposal

richgalloway · ‎08-15-2017

Can you share some sample data?

---
If this reply helps you, Karma would be appreciated.

No results without using wildcard in messagetype in my search

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability