Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issues with Splunk search behavior after upgrading from version 6.4.5 to 7.0.4.

immortalraghava
Path Finder
‎06-28-2018 07:14 AM

Hi,

I upgraded my system from Splunk 6.4.5 to Splunk 7.
I found an issue with the search behavior.
Search:

 index=testindex | where asset = "up%20asset"

The above search produces results in 6.4.5 but not in 7.0.4
Has anything changed under the hood?
Any help is appreciated.

Labels (1)
Labels
0 Karma
Reply

amiftah
Communicator
‎06-28-2018 06:27 PM

Can you try :
index=testindex asset = "up*asset"
or
..| where like(asset, "up%asset")

If no result, can you check if asset is extracted in the fields bar, by running only index=testindex, make sure you are running it in the smart mode.
If it's there then check the values to make sure up.. is there

0 Karma
Reply

immortalraghava
Path Finder
‎06-29-2018 02:27 AM

Yes, it working. Using * at the end index=testindex asset = "up%20asset*" also works.
This also works ..| where like(asset, "up%asset")
But we cannot use where condition because we want to filter out as many assets as possible before the first pipe.
And we cannot use wildcards which may include other assets. We just want to be sure to filter only this one.
The problem here is for the same data it works in 6.4.5

0 Karma
Reply

amiftah
Communicator
‎06-29-2018 04:26 AM

Can you try with version 7.0.3, I don't know I find this version the most stable..

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-28-2018 06:19 PM

Just to confirm your running this in smart mode?

Also the asset field is extracted as you expected?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

immortalraghava
Path Finder
‎06-29-2018 02:23 AM

Yes, Asset field is extracted. Actually, I just select the asset from the left sidebar after running index = testindex
But for same data and same asset, we get results in 6.4.5
Tried in all modes nothing happens. It does not work in the current 7.0.4 version.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-28-2018 12:50 PM

So you are looking for a space in a URL in the events?

0 Karma
Reply

immortalraghava
Path Finder
‎06-29-2018 02:19 AM

No, I am looking for the events with the exact asset value. That is how it is indexed. I can see on the left side event count for this asset when I run just index=testindex. But when I try to filter it does not bring the results. For the same event data and same search, it works in 6.4.5

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...