Splunk Search

Field search needs unnecessary wildcard character *

bibekmantree
New Member

I am doing search on data coming from fluentd k8s.
On top of that data , I wanted to filter on basis of field.

alt text

Add to search field prompts that, there would be count of 7 events. But surprisingly its Zero.
alt text

So I did some trial and error to put wildcards to get data. Here it is.

index=main 200 namespace="*app-s*pace*"
Now all the & events shows up !!

My Question is Why is this happening?
And why -s*pace.
In some fields, keeping * also does not give accurate events.

0 Karma

oscar84x
Contributor

Is this a regex based field extraction?
Have a look at the article below and see if this is what you're running into.

https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html

0 Karma

bibekmantree
New Member

I had no intention to do namespace="*app-s*pace*" as the result did not show on app-space . I did this trial and error and added these * around the string.

If you see the 1st image, the field is a plain string. app-space and also suggest 7 events will appear but clicking on it (2nd image). Zero events.

0 Karma

oscar84x
Contributor

Yes, I believe understand what the problem is. you're describing something similar to what the blog post I shared describes.
The solution for the problem in the article is to add the below stanza to your fields.conf. But that depends on whether it was a regex based field extraction or not, which was my question to you.

[namespace]
INDEXED_VALUE = false
0 Karma

khoonhuat
New Member

I have a similar problem.
Running the suggested test below still give me no result. So this blog is unrelated.

"search sourcetype=MyEvents MyField=* | search MyField=ValidValue"

0 Karma

bibekmantree
New Member

Honestly, This is my 5th day with Splunk. I have not extracted any fields myself. I set up fluentd in my k8s cluster . Created a HEC in my splunk and provided that data to fluentd running on my k8s. That's it.
Then I can see these data with fields populated in my splunk.(my splunk is a docker container)

let me try as you suggested (blog post).

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...