I am trying to run the following search in Splunk:
index=index1 sourcetype=sourcetype1 bldg=XI
The bldg field is an automatic lookup field and exists in 100% of the events for index=index1 & sourcetype=sourcetype1. However, when I run this search, I only get back less then 1% of the results I would expect.
When I run the search as follows, I get back all of the results I am looking for.
index=index1 sourcetype=sourcetype1 | search bldg=XI
Why do I need to pipe search to get the correct results?
I am using Splunk 6.0.2
... View more