No results found, still chart and stats return 1.

stratenh · ‎11-20-2016

Hi,

I have a query which returns no results:

index="itsm" sourcetype=incidents | dedup NUMBER sortby OPEN_TIME | search STATUS!=Closed STATUS!=Resolved ASSIGNMENT="MY GROUP"

but when I add chart or stats:

index="itsm" sourcetype=incidents | dedup NUMBER sortby OPEN_TIME | search STATUS!=Closed STATUS!=Resolved ASSIGNMENT="MY GROUP" | chart count

it returns 1 (but not always).

Does someone have an explanation for this and a solution?

Thanks.

Regard, Hans van Straten

stratenh · ‎11-23-2016

My query was wrong. The dedup sorted nothing, because OPEN_TIME is the same. So sorting is different every time, as well as the remaining records after the dedup.

Sorry for taking your time.

Regards, Hans van Straten

TiagoTLD1 · ‎11-21-2016

Are you fixing your Time Range or is it a Relative Time Range? That could explain the intermittence of 0 and 1 values

stratenh · ‎11-23-2016

Maybe some additional info will help.

I created a dashboard with this query in it. I didn't notice the problem before we used the dashboard.

stratenh · ‎11-22-2016

It's a relative time range of 1 week. But swithing between the 2 queries back and forth didn't show any change in the results. The number of records is also very low. A couple of records per week after filtering on ASSIGNMENT. So I don't expect this to be the problem.

stratenh · ‎11-22-2016

At this moment I don't see the issue using a relative period of 1 week. Just to be sure, I now used a fixed time frame specifying a period from Monday morning until the next Monday morning: it's still there. So a relative period is not the issue.

No results found, still chart and stats return 1.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...