Why is the search filter returning no events?

fteyssandier · ‎03-22-2018

hi all,

I have an index with a custom field and an extract of my props.conf:

[source::/test/.../*_Splunk_Telemetry.(txt|log)]
sourcetype = script_windows_log

# Field extractors
EXTRACT-script_name = ^.*\/[0-9]*_(?P<script_name>.*)\.[a-z]{3}$ in source

when I launch generic search I have this result :

For example for script name: Microlise_Splunk_telemetry I have more than 2500 events (I stop the search before ending) and if I make a filter into the script_name field:

There are no results, why is that?
I try with "where" I am getting the same result, with quotes and simple quotes, same result.

Does anybody have any idea?

Thanks for your help.

mayurr98 · ‎03-22-2018

Can you try index=windows_script_log and then as per your 2nd Screenshot when you see Microlise_Splunk_telemetry click on the Microlise_Splunk_telemetry which will automatically filter out events for that script_name

fteyssandier · ‎03-22-2018

thanks for your reply... i already test that.. same result... no event are displayed..

niketn · ‎03-22-2018

@fteyssandier, have you also tried the following to whether you get any results?

 index=windows_script_log 
| search script_name="Microlise_Splunk_Telemetry"

Also working with your raw data have you tried rex to extract various script_name?

If nothing works do you mind sharing raw events after masking/anonymizing any sensitive data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

fteyssandier · ‎03-23-2018

hi,

thank for your answer...
if i try your query

index=windows_script_log 
 | search script_name="Microlise_Splunk_Telemetry"

i has no result.. 😞

if i try this query

index=windows_script_log  | rex field=source "^.*\/[0-9]*_(?P<script_name>.*)\.[a-z]{3}$" | search script_name="Microlise_Splunk_Telemetry"

it work fine, strange...

with the same regex, into props.conf... the script_name are correctly extract... by when i m filter to this... no result, if i do the rex directly into the query, it work fine... this two method isn't the same think ?

i don't understand what is the different... for me the result must be the same...

jeyakumar8 · ‎05-24-2021

Hi fteyssandier,

For one my use case as well, when I try to execute

index=event_type -> giving result

index=event_type | stats count by az -> giving list of results.

but when I execute index=event_type | search az="GC" not giving results.

After changing search query with your regex, that is workmen fine. Have you found why that is happening?

logloganathan · ‎03-22-2018

Please try whether this query work
index=windows_script_log | stats count by script_name

if yes then

index=windows_script_log "Microlise_Splunk_Telemetry"
this will return the result

fteyssandier · ‎03-22-2018

thank for your reply.

for the query

index=windows_script_log | stats count by script_name

the result is correct, for script_name "Microlise_Splunk_Telemetry" there are (for my time period) 730 event.

when i try the second query

index=windows_script_log "Microlise_Splunk_Telemetry"

there are no result (for the same period of course ^^)

Why is the search filter returning no events?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM