topic Re: Missing data after I increase the numeric data in my where clause in Splunk Search https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409319#M118084 <P>you could do something like this</P> <PRE><CODE>initial search | stats avg(field1) AS avg by _time, field2 | where avg &gt; 100 | xyseries _time field2 sum </CODE></PRE> Wed, 27 Feb 2019 17:18:58 GMT lakshman239 2019-02-27T17:18:58Z Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409312#M118077 <P>Greetings</P> <P>I'm using the following query over 24hrs.</P> <P>| initial search<BR /> | timechart useother=f span=1h avg(field1) by field2 where avg &gt; 100<BR /> | fields - NULL</P> <P>And I get results for that meet that criteria, but when I increase the numeric value from &gt; 100 to &gt; 400, I get zero results even though I should see at least one or two fields from "field2" populate. Any thoughts on what is causing my dilemma? </P> Tue, 26 Feb 2019 22:43:50 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409312#M118077 cquinney 2019-02-26T22:43:50Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409313#M118078 <P>Pls change your search as below and re-test</P> <PRE><CODE> initial search | timechart useother=f span=1h avg(field1) AS avg by field2 where avg &gt; 100 </CODE></PRE> Wed, 27 Feb 2019 16:20:40 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409313#M118078 lakshman239 2019-02-27T16:20:40Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409314#M118079 <P>Thank you for the suggestion, but the data still disappears when I increase the numeric value to 200 even though there should be results.</P> Wed, 27 Feb 2019 16:36:17 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409314#M118079 cquinney 2019-02-27T16:36:17Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409315#M118080 <P>do you see avg more than 200 when you run </P> <PRE><CODE> initial search | timechart useother=f span=1h avg(field1) AS avg by field2 | where avg &gt; 100 </CODE></PRE> Wed, 27 Feb 2019 16:41:55 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409315#M118080 lakshman239 2019-02-27T16:41:55Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409316#M118081 <P>No, nothing populates regardless of the numeric value when I pipe the where clause to its own line I'm afraid.</P> Wed, 27 Feb 2019 16:45:49 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409316#M118081 cquinney 2019-02-27T16:45:49Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409317#M118082 <P>Try-</P> <PRE><CODE> | timechart limit=0 span=1h avg(field1) AS avg by field2 | where avg &gt; 200 </CODE></PRE> Wed, 27 Feb 2019 17:03:33 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409317#M118082 Vijeta 2019-02-27T17:03:33Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409318#M118083 <P>Thank you for the suggestion but that doesn't seem to work either.</P> Wed, 27 Feb 2019 17:09:48 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409318#M118083 cquinney 2019-02-27T17:09:48Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409319#M118084 <P>you could do something like this</P> <PRE><CODE>initial search | stats avg(field1) AS avg by _time, field2 | where avg &gt; 100 | xyseries _time field2 sum </CODE></PRE> Wed, 27 Feb 2019 17:18:58 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409319#M118084 lakshman239 2019-02-27T17:18:58Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409320#M118085 <P>That will actually work for what I'm trying to accomplish, thank you!</P> Wed, 27 Feb 2019 17:24:58 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409320#M118085 cquinney 2019-02-27T17:24:58Z Re: Missing data after I increase the numeric data in my where clause https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409321#M118086 <P>pls accept the answer to close tracking.</P> Wed, 27 Feb 2019 17:28:03 GMT https://community.splunk.com/t5/Splunk-Search/Missing-data-after-I-increase-the-numeric-data-in-my-where/m-p/409321#M118086 lakshman239 2019-02-27T17:28:03Z