Solved: Search results not displayed when using certain fi...

Blu3fish · ‎09-21-2010

This is probably pretty straightforward but on my search head the following will not return any results:

index=train sourcetype=transcript slotID=1234

whereas the following will:

index=train sourcetype=transcript | search slotID=1234

slotID is a unique field extracted via props/transforms. Permissions are defined as read:everyone, write:admin What am I doing wrong?

Note that for other searches, I can query a unique field and it results will be returned: index=train sourcetype=transcript status=running (here "status" is extracted via the same props/transforms mechanism)

Stephen_Sorkin · ‎09-21-2010

This typically happens for two reasons.

The value of slotID, here "1234", is not searchable on its own. We optimize searches by replacing the equality with the value, and post-filter. If this is the case, you can mark "slotID" as "INDEXED_VALUE = false" in fields.conf.
If the slotID extraction is configured via an eventtype in props.conf, it will be extracted, but not searchable in the first search clause. There is no workaround for this.

View solution in original post

Stephen_Sorkin · ‎09-21-2010

This typically happens for two reasons.

The value of slotID, here "1234", is not searchable on its own. We optimize searches by replacing the equality with the value, and post-filter. If this is the case, you can mark "slotID" as "INDEXED_VALUE = false" in fields.conf.
If the slotID extraction is configured via an eventtype in props.conf, it will be extracted, but not searchable in the first search clause. There is no workaround for this.

Search results not displayed when using certain fields in the initial search string

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life