topic Re: Why my search is return no result ? in Splunk Search

Why my search is return no result ?

mah — Mon, 14 Sep 2020 15:55:33 GMT

Hi,

I have a search like this applied on many queries :

index="abs" field1="aaa" field2="bbb"
| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")

Usually the search return a result like this :

I have the sum of KO / day. And then I use the single value for the visualization :

My issue is that on one query I have this error :

And it doesn't span bay day anymore.

Can you help me please ?

Re: Why my search is return no result ?

gcusello — Mon, 14 Sep 2020 16:04:56 GMT

Hi @mah,

The approach to debug a search is to delete one row at a time from the end of the search to understand which row has the problem.

Anyway, probably the problem is that you want to sort for ASC (| sort _time ASC), but ASC isn't present in the previous stats command, so you haven't anymore after "| stats count(eval(Statut=="KO")) as KO by _time".

Ciao.

Giuseppe

Re: Why my search is return no result ?

mah — Mon, 14 Sep 2020 16:27:55 GMT

I put the "| stats count(eval(Statut=="KO")) as KO by _time" at the end in order to answer to this other issue :

https://community.splunk.com/t5/Dashboards-Visualizations/Drilldown-not-working-at-all/m-p/519370#M34868

I've already tried to see command by command but I don't find where it goes wrong.

I find out that at this command :

index=abc

The _time returned like this :

NaN/NaN/aN
NaN:NaN:NaN.000 AM

and then when I added this command and put a single value, the problem is the same :

"These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

Re: Why my search is return no result ?

gcusello — Mon, 14 Sep 2020 16:34:46 GMT

Hi @mah,

running

which results do you have?

Ciao.

Giuseppe

Re: Why my search is return no result ?

mah — Tue, 15 Sep 2020 07:37:47 GMT

Hi @gcusello ,

I run the above command :

and I run the eval command I have in my begining search :

But when I added the following command : | stats count(eval(Statut=="KO")) as KO by _time

The problem still the same : it doesn't make a span by day anymore and the visualization goes wrong :

Re: Why my search is return no result ?

gcusello — Tue, 15 Sep 2020 07:50:26 GMT

Hi @mah,

at first you don't need to rename Horodate as _time (| eval _time=Horodate)

then I don't like the double "=".

Then, if you want to use stats BY _time (or Horodate), you have to put a bin command before to group values, otherwise you have touse the timechart command that permits to define the span:

so:

Ciao.

Giuseppe

Re: Why my search is return no result ?

mah — Tue, 15 Sep 2020 08:44:54 GMT

The bin doesn't work with the Horodate :

But works with _time :

Re: Why my search is return no result ?

gcusello — Tue, 15 Sep 2020 12:37:54 GMT

Hi @mah,

do it solve your need?

Ciao.

Giuseppe

Re: Why my search is return no result ?

mah — Tue, 15 Sep 2020 13:08:07 GMT

It works.

Thanks for helping!

Re: Why my search is return no result ?

gcusello — Tue, 15 Sep 2020 14:43:15 GMT

Hi @mah.,

good!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉