Getting Data In

Defined field values showing no results, unless reloaded

afx
Contributor

Hi, I have a totally weird situation.

The field list on the left shows me the stuff I have defined.
When I click on one of them, I see the field values. But when I then select one, the search does not show anything:

index=amp_sal message_id=AU1

Delivers no results even though Splunk just told me there are AU1 message_ids...
But when I exclude the field I see results:

index=amp_sal message_id!=AU1

And I also see results when I perform a reload in the query:

index=amp_sal 
| extract reload=t 
| search message_id=AU1

So what is going on?
Of course, there have been plenty of restarts.

This is how the fields are defined:

EXTRACT-sal = ^(?<message_id>.{3})(?<date>.{8})(?<time>.{6})(\w\w)(?<process_id>.{5})(?<task>.{5})(?<proctype>.{2})(?<term>.{8})(?<user>.{12})(?<transaction>.{20})(?<app>.{40})(?<client>.{3})(?<message>.{64})(?<src>.{20})

And the best thing is, this is not consistent for the defined fields, some work ok, some exhibit the weird behavior.
I tried to define them individually, but that did not change anything.

Any ideas?
thx
afx

0 Karma

afx
Contributor

Thanks, but that has the same empty result.
AU1 is one of many possible message Ids (and no, none of them works) that splunk shows me as available.

cheers
afx

0 Karma

DavidHourani
Super Champion

Hi @afx,

does this work ?

 index=amp_sal message_id="AU1"

Could be that AU1 is also a field name ? Is it the same regardless what you type for message_id ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...