|
I have a defined field that I'm trying to perform searches against with wild cards, so given the texts:
And the following searches should return the specified item:
But A and C actually return nothing. How would I get this to work like I expect it? Thanks! |
|
This should normally work, and its failure probably has something to do with the heuristic of looking for the value in the index. The first check to make is to not put the field comparison in the initial part of the search. Does a search for just Try: |
|
How is the field |
|
gkanapathy raises good questions. If the below search works for case A then perhaps the field extraction may need to be tweaked to remove leading/trailing spaces or tabs. |
|
Great questions. Let me clarify them: How is the field my_field actually extracted?
Are there actually spaces delimiting both sides of text2search (and blah) in all cases?
Is text2search actually just a word without internal spaces or punctuation?
Does the search work if you don't specify my_field but just search for text2search (or *text2search or whatever)?
Are you running these searches from the Splunk GUI?
1
Please add your clarifications to your original post (use the "edit" link) instead of adding a new "answer" like this.
(28 May '10, 15:58)
Lowell ♦
|
|
To backup the answer from Stephen Sorkin, I've had a similar problem with searches using wildcards, and found it was resolved through putting the wildcard query after | search The link between my situation and that of the original poster I think is segmentation startegy. I've come across this problem when experimenting with using outer segmentation. Are issues with wildcard searches in this way related to disabling full segmentation? |
