- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Pivot not showing results even though sampling the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pivot not showing results even though sampling the base search does
I am trying to build a Pivot using an data object derived from a Base Search. "Sampling" the search returns results, plus I am able to Auto-Extract attributes derived from the fields returned in the search.
So far so good. But when I try to actually Pivot on this same data object I get a "Your search returned no results." and I'm stumped after trying to get this working over the past couple of days with trial and error (simplifying the search, field names, triple-checking permissions, restarting splunk, looking for clues in logs, etc).
I've seen other posts with similar but perhaps not the exact type of problem. Any suggestions on things to look into would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when i run my data model as
| from datamodel:"DemoModel2.DemoDataSet2" in my search bar, i get 2000 rows in events tab, but only 232 rows in statistics tab.
Anyone has idea regarding this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you've already done the basic troubleshooting, so the issue is probably something quite nuanced. If you provide a sanitized version of the base search, the data object, and the pivot, then the community could give you better feedback.
Two things I'd try at the moment -
(1) try building in that same app, just in case the index or any related stuff is limited to that context. If that solves the issue, then you need to investigate changing the context for the data you need.
(2) Try putting a | fillnull value=foo expression somewhere just in case it's null values making your results disappear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My data set contains 2000 raw events, but when i click on pivot button, report only shows 232 events.
Do you have any regarding this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
additional feedback:
- with the Pivot there seems to be something returned as indicated by the events message at the top. Example:19 events (before 3/10/17 12:33:56.000 PM). Still.... no results displayed by the Pivot. Count of 0. ??
- the underlying search string in the base search includes a reference to a particular index, index=poqo, which is associated with a particular App module. The Data Model has been created in the same App module. Not sure if the index/app will lend a clue....but mentioning just in case.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
