Reporting

Pivot not showing results even though sampling the base search does

popdeluxe
New Member

I am trying to build a Pivot using an data object derived from a Base Search. "Sampling" the search returns results, plus I am able to Auto-Extract attributes derived from the fields returned in the search.

So far so good. But when I try to actually Pivot on this same data object I get a "Your search returned no results." and I'm stumped after trying to get this working over the past couple of days with trial and error (simplifying the search, field names, triple-checking permissions, restarting splunk, looking for clues in logs, etc).

I've seen other posts with similar but perhaps not the exact type of problem. Any suggestions on things to look into would be greatly appreciated!

0 Karma

chinmayc469
Explorer

when i run my data model as
| from datamodel:"DemoModel2.DemoDataSet2" in my search bar, i get 2000 rows in events tab, but only 232 rows in statistics tab.

Anyone has idea regarding this issue?

0 Karma

DalJeanis
Legend

It sounds like you've already done the basic troubleshooting, so the issue is probably something quite nuanced. If you provide a sanitized version of the base search, the data object, and the pivot, then the community could give you better feedback.

Two things I'd try at the moment -

(1) try building in that same app, just in case the index or any related stuff is limited to that context. If that solves the issue, then you need to investigate changing the context for the data you need.

(2) Try putting a | fillnull value=foo expression somewhere just in case it's null values making your results disappear.

0 Karma

chinmayc469
Explorer

My data set contains 2000 raw events, but when i click on pivot button, report only shows 232 events.

Do you have any regarding this issue?

0 Karma

popdeluxe
New Member

additional feedback:

  • with the Pivot there seems to be something returned as indicated by the events message at the top. Example:19 events (before 3/10/17 12:33:56.000 PM). Still.... no results displayed by the Pivot. Count of 0. ??
  • the underlying search string in the base search includes a reference to a particular index, index=poqo, which is associated with a particular App module. The Data Model has been created in the same App module. Not sure if the index/app will lend a clue....but mentioning just in case.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...