https://community.splunk.com/t5/Splunk-Search/Pivot-and-Stats-and-disappearing-make-my-data-disappear/m-p/166570#M47426 <P>There is some sort of interaction from the pivots "sort 100" and that last stats command. Putting sort 0 will fix it but someone with a better understanding of the search pipeline can hopefully explain what is occurring.</P> Fri, 01 Aug 2014 01:24:09 GMT Lucas_K 2014-08-01T01:24:09Z https://community.splunk.com/t5/Splunk-Search/Pivot-and-Stats-and-disappearing-make-my-data-disappear/m-p/166569#M47425 <P>Hi All,</P> <P>I'm playing around with data models at the moment and I came across this strange issue. This is similar to my query</P> <P><STRONG>Base search</STRONG></P> <PRE><CODE>| pivot Data_Model Outbound max(value) AS "value" SPLITROW hostname AS "hostname" SPLITROW _time AS "_time" PERIOD minute SPLITROW group AS "group" SPLITROW metric AS "metric" FILTER metric is *myfilter* SORT 100 hostname </CODE></PRE> <P><STRONG>Post Process</STRONG></P> <PRE><CODE>| streamstats current=t global=f window=2 earliest(value) as curr, latest(value) as next, earliest(_time) as currTime, latest(_time) as nextTime by hostname, metric, group | eval timeDiff=nextTime-currTime | eval curr=if(timeDiff&gt;600,NULL,curr) | eval curr=if(next&lt;curr, NULL, curr) | eval delta=next-curr | eval Gigabits=(delta*8/1000/1000/1000) | eval Gigabits=if(Gigabits &gt; 10000, NULL, Gigabits) | eval Gigabits_per_second=Gigabits/timeDiff | stats max(Gigabits_per_second) by group </CODE></PRE> <P>So there seems to be a problem with using the stats command in this way. Everytime I run it, I initially get 5 rows returned, but as the search progresses, the search rows drop. So, I'll start with 10 rows, and then it will drop to 5 rows, and by the end of the search, I will only have 1 row.</P> <P>Replacing the stats command with a </P> <PRE><CODE>table Gigabits_per_second, group </CODE></PRE> <P>I'm thought the problem might be with the streamstats command but as I can get the correct values when using a table command, seems to rule that out. Anyone seen this issue before? </P> <P>Thanks</P> <P>Steve</P> Fri, 01 Aug 2014 01:21:31 GMT https://community.splunk.com/t5/Splunk-Search/Pivot-and-Stats-and-disappearing-make-my-data-disappear/m-p/166569#M47425 stephenho 2014-08-01T01:21:31Z https://community.splunk.com/t5/Splunk-Search/Pivot-and-Stats-and-disappearing-make-my-data-disappear/m-p/166570#M47426 <P>There is some sort of interaction from the pivots "sort 100" and that last stats command. Putting sort 0 will fix it but someone with a better understanding of the search pipeline can hopefully explain what is occurring.</P> Fri, 01 Aug 2014 01:24:09 GMT https://community.splunk.com/t5/Splunk-Search/Pivot-and-Stats-and-disappearing-make-my-data-disappear/m-p/166570#M47426 Lucas_K 2014-08-01T01:24:09Z