Hi all,

I'm a beginner about Splunk and I'm studying and implementing it for the company I work.

One of the first reports I'm setting up is the number of denies that our firewalls record. I set up a search that include the name of the firewall, the host that has and how many times the denies have been recorded:

index=net host=192.168.0.1 OR host=192.168.0.1 106023 | rex "(?=[^s]*(?:src outside:|s.*src outside:))^(?:[^:\n]*:){4}(?P<denied_host>\d+\.\d+\.\d+\.\d+)" | table host denied_host | stats count(denied_host) as count by host, denied_host | sort - count

And it works, I can see the data.

The next requirement is to plot the data in a graph, a line for each firewall, and schedule a daily execution. To do this I define a data model where I set a root search, then when I create a pivot I set up the columns and the rows, but the result is always no events found. I'm not able to understand the problem. Why the

What mistake am I doing? Is this the correct way to setup what I need? I already spent 2 days on this, reading guides, searching online and I can't find a solution or I'm not able to understand what I've found.

UPDATE: I also tried a different way, but always with data models. I defined custom field extractions and used a simpler search:

index=net host=192.168.0.1 OR host=192.168.0.2 | stats count(denied_host) as count by host, denied_host

But then again, when I define a data model with denied_host as rows, host as columns and sum of count as value, I receive "no results found"

Please, bear with my lack of terminology, I'll clarify any mistake.
Thanks,
Fabrizio