Solved: Why is my ITSI search showing no results?

TheJagoff · ‎08-09-2017

Hello,

I am attempting to make a KPI with the following search:

index=demo sourcetype=access_combined action=purchase|bucket _time span=5m|stats count  by _time

I get the following results (In search)

_time                                           purchased
2017-08-09 17:10:00                             75
2017-08-09 17:05:00                             122
2018-08-09 17:00:00                             89

When in ITSI with the threshold field as "count" , Calculating Average per entity, Average of aggregate over the last 15 minute(s) every 15 minute(s) - I get No Results Found...

What am I doing incorrectly?

Thanks in advance.

TheJagoff · ‎08-09-2017

Again, I'll answer my own question - since I had Split on Entities as "Host" - that needs to be in the search statement.
To correct this, I did the following:
index=demo sourcetype=access_combined action=purchase|bucket _time span=5m|stats count by _time host

It now works...

View solution in original post

TheJagoff · ‎08-09-2017

Again, I'll answer my own question - since I had Split on Entities as "Host" - that needs to be in the search statement.
To correct this, I did the following:
index=demo sourcetype=access_combined action=purchase|bucket _time span=5m|stats count by _time host

It now works...

Why is my ITSI search showing no results?

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability