Splunk Search

Scoping a search string to a valid field yields no results

mark
Path Finder

Hi,

I have some very strange behaviour from Splunk v4.3.3.

When I search for: index="something", splunk correctly performs all the required field extractions. In my case one such field extraction is a field named 'tla' (Three Letter Acronym).
Splunk displays all these field extractions for 'tla' as it should.... Within the event and also as 'interesting fields' on the left of the ui..

However, when the search is scoped down further eg. index="something" tla="CIS" (Either by typing this into the search dialogue or clicking on the tla="CIS" hyperlink in on a event) or anything else valid, Splunk returns no search results. Consequently index="something" tla="CIS*" works completely fine, it simply return a search result for tla="CIS".... Really odd!

A few other points:
There is no white space issue.

Running something like: index="something"|timechart count by tla works fine.
All the values for filed 'tla' are listed in the chsrt. Similar for tables, stats, etc.

I've also created a few other fields extractions (different name/regex) and the same thing happens.

There are no other occurrences on this issue. It seems related to only this particular index or sourcetype.

Index corruption?

Has anyone seems this before? Any ideas?
Thanks in advance,
Mark

Tags (3)
0 Karma

Ayn
Legend

Very familiar. What you're seeing is this: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

(it says at the end that it's fixed now - I don't know why it says that, it definitely isn't)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...