https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623588#M216774 <P>The <FONT face="courier new,courier">where</FONT> clause of the <FONT face="courier new,courier">tstats</FONT> commands must use field names present in the datamodel, which must include the DM object name.&nbsp; DNS.message_type, for example.&nbsp; I don't see&nbsp;dns_request_client_ip in the Network_Resolution datamodel, however.&nbsp; Using a non-existing field in the <FONT face="courier new,courier">by</FONT> clause will produce zero results.</P> Wed, 07 Dec 2022 16:42:39 GMT richgalloway 2022-12-07T16:42:39Z https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623558#M216764 <P>Hello,</P> <P>the following search&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=index1 message_type=query NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127.0.0.1 |stats count by dns_request_client_ip</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>shows me <STRONG>23300 matched</STRONG> events and shows me a table in statistics with those results.&nbsp;</P> <P>but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it&nbsp; shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me <STRONG>5 million matches</STRONG> but doesn't show me anything in statistics.&nbsp;</P> <P>also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my <STRONG>tstat</STRONG> is as follows:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">|tstats count as count from datamodel=Network_Resolution where (message_type=query) by dns_request_client_ip</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>and then I try to combine it with the rest of the search as stated above via |<STRONG>search</STRONG>:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">|search NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127.0.0.1 |stats count by dns_request_client_ip</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>there must be something logically wrong with my approach, right?&nbsp;</P> <P>&nbsp;</P> <P>thanks a lot for any help.&nbsp;</P> Wed, 07 Dec 2022 15:56:05 GMT https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623558#M216764 avoelk 2022-12-07T15:56:05Z https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623588#M216774 <P>The <FONT face="courier new,courier">where</FONT> clause of the <FONT face="courier new,courier">tstats</FONT> commands must use field names present in the datamodel, which must include the DM object name.&nbsp; DNS.message_type, for example.&nbsp; I don't see&nbsp;dns_request_client_ip in the Network_Resolution datamodel, however.&nbsp; Using a non-existing field in the <FONT face="courier new,courier">by</FONT> clause will produce zero results.</P> Wed, 07 Dec 2022 16:42:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623588#M216774 richgalloway 2022-12-07T16:42:39Z https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623599#M216776 <P>ah gosh, that must be it. thanks a lot! I'll try it asap <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P><P>tnx rich!</P> Wed, 07 Dec 2022 15:01:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-Job-Investigation-after-search-with-no-results-shows-quot/m-p/623599#M216776 avoelk 2022-12-07T15:01:22Z