Why can't I search for my extracted field?

Question

I have a store field brought in by a scripted lookup. it shows up when i do a search for sourcetype=foo, I can even stats count by store. but I can't search store=bar on the search bar... ?!

I thought that that this only happened for extracted fields where the value is not in the actual event

Accepted Answer

4

By default, Splunk will expand store=bar into (bar AND store=bar). If bar doesn't exist in your event, the event will not be returned.

If this is because store is an extracted field or lookup-based field, tell Splunk to not search for the text in the event by editing fields.conf:

[store]
INDEXED_VALUE = false

link

answered 15 Sep '10, 22:11

Jason
2.0k●25
accept rate: 49%

Answer 2

0	Hi, or just use the therm store::bar greez christian link answered 16 Sep '10, 13:29 Christian 73●1●6 accept rate: 22%

Why can't I search for my extracted field?

Follow this question

Splunk Resources

Related questions