Problem with search for field=value

gelica · ‎08-02-2013

Hi,

When I'm indexing my logs, I extract a field called "file_date" from my source. The field is of the form 2013-07-31_01-05-08.

I have some problems when I want to search for a specific file_date.
Say I want to show all events where file_date = 2013-03-20_21-14-36, and I know that there are 71 events with that value.

If I search for this I get no matching events (I tried qoutes, escaping _ and -)

file_date=2013-03-20_21-14-36

However, if I run a search for whatever before it works. Like this:

* | search file_date=2013-03-20_21-14-36
file_date=* | search file_date=2013-03-20_21-14-36

I have a total of 1525 different events, all with this field, and all of them are from this year (starts with 2013), if I run a search like these

file_date=* 
* | search file_date=2013*

I get 1525 events, but if I search for

file_date=2013*

I only get 72 events.

Does anybody know how to fix this problem?

(In case someone is wondering, the fields are extracted and are showing up in the fields list.
I also have an id field which is extracted in the same way, but only consist of 6 digits, and when I search for that field everything works as normal.)

sowings · ‎08-02-2013

Try file_date=TERM(2013-03-20_21-14-36). More details here:

http://splunk-base.splunk.com/answers/68584/why-does-my-search-not-find-the-\_

Ayn · ‎08-02-2013

I think you might be running into this: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

lukejadamec · ‎08-02-2013

It is possible that Splunk is not sure whether to treat the values as a number or a string.

Try defining it as a string after the extraction and before the search. See the details here:
http://splunk-base.splunk.com/answers/11131/how-to-typecast-an-integer-as-a-string-literal

Problem with search for field=value

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes