Hello,

Splunk is acting strangely and it's something I've never encountered before. I will try to simplify my explanation as best as possible.

At extraction time I have two automatic lookups. The first lookup produces a new field called group and this field is used to extract, in conjunction with a field extraction, a field from the second lookup named process. Permissions are set correctly for all objects and associated to the host. When searching the index without any filters all fields appear correctly.

If I try to filter a specific value for the field process obtained from the second lookup, it does not work as expected. For example, I have a field value Journal Posting. I know that 109 entries contain this field value. Here is where it gets strange:

• If I run index=index_name process="Journal Posting" splunk returns 15 results.
• If I run index=index_name process="Journal*" splunk returns 16 results.
• If I run index=index_name process="Jo*" splunk returns 56 results.
• If I run index=index_name process="J*" splunk returns 109 results.
• If I run index=index_name process="*Journal Posting*" splunk returns 109 results.

I have no idea why it does this. Is it a memory issue? Are there any configuration checks that I should make?

Any help would be greatly appreciated.

Best regards,

Andrew