Can find a field value only when using a wildcard ...

ilyar · ‎10-22-2020

Hello,

I have field name: let's call it - "foo" and a value I desire to add to my search - "bar".
When I execute a normal query, for example:

index="main" sourcetype="blabla" foo="bar"

it won't find anything, although I know there are many events that have the field foo=bar
Alternatively, when I execute the following query:

index="main" sourcetype="blabla" foo="*bar"

I get the results I want.

What causes the first search, which should work, to fail? Is that encoding issue?

Thanks!

ITWhisperer · ‎10-22-2020

Can you share your events?

ilyar · ‎10-22-2020

Hi buddy, unfortunately not, it's sensitive data. I'm sure people had the same problem. I believe it has to do with encoding...

isoutamo · ‎10-25-2020

Can you check what your job inspection said on those rows which contains word lispy?

kennetkline · ‎10-22-2020

Sounds like maybe a transforms/props issue.

If you are getting hits with the wildcard, I would believe there is a whitespace issue; (where a leading space or more exists in the value.

ilyar · ‎10-24-2020

Hi! I tried to search with a numerous amouns of spaces, yet it cannot find the value. Using the wildcard works, however.
Maybe you have an idea as to how to confirm that?

thanks!

ITWhisperer · ‎10-25-2020

index="main" sourcetype="blabla"
| rex "foo=\"(?<characters>.*)bar\""
| fields characters

Can find a field value only when using a wildcard prefix

field extraction

other

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!