I've got a problem and part of that problem is I'm not sure how to search for the solution.
Using Verbose search mode (others are the same though).
If I search index="*" User_Priority="High"
I get no results returned.
But If I search index="*" User_Priority="High" OR User_Priority="Medium" | stats count by User_Priority
I get results for the High Priority in the same time frame I searched above.
This is the same if I specify the index this data is in.
I don't understand this, and am looking on how I can get it fixed.
A very confused Splunker.
I assume that User_Priority
is an extracted field and you are experiencing this unfortunate situation:
https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html
I assume that User_Priority
is an extracted field and you are experiencing this unfortunate situation:
https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html
This sounds like what I'm dealing with. I'll confirm then give you the 'accept' on your answer. Thanks!
You are probably using search mode
(far right side between the histogram and the search results) setting of Fast
. Switch to Smart
or Verbose
and both should work.
Both are being searched in Verbose mode. That was one of my thoughts but even in Fast or Smart this same thing happens.