Solved: Re: Why can't I see any results while searching a ...

mchang_splunk · ‎03-05-2019

I have a search-time extracted field defined in props.conf:

[foo]
EXTRACT-fields = msg=\".{20}(?<newfield>.{6})

The sample log:

Wed Feb 27 17:12:03 EST 2019 msg="020202P032929055801 FINDME

I can see "FINDME" as a value of newfield listed in "field explorer" on UI while searching "sourcetype=foo"

When I search "sourcetype=foo newfield=FINDME", no result is found.

However, I can get results while searching:

sourcetype=foo newfield=*FINDME

How can I fix this issue?

mchang_splunk · ‎03-05-2019

This issue should be able to resolved by adding fields.conf on all the indexers:
fields.conf

[newfield] 
INDEXED_VALUE = *<VALUE>

It's not working if you put fields.conf on search head.

mchang_splunk · ‎03-05-2019

This issue should be able to resolved by adding fields.conf on all the indexers:
fields.conf

[newfield] 
INDEXED_VALUE = *<VALUE>

It's not working if you put fields.conf on search head.

Why can't I see any results while searching a search-time extracted field value?