Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

No results found, still chart and stats return 1.

stratenh
Loves-to-Learn
‎11-20-2016 10:53 PM

Hi,

I have a query which returns no results:

index="itsm" sourcetype=incidents | dedup NUMBER sortby OPEN_TIME | search STATUS!=Closed STATUS!=Resolved ASSIGNMENT="MY GROUP"

but when I add chart or stats:

index="itsm" sourcetype=incidents | dedup NUMBER sortby OPEN_TIME | search STATUS!=Closed STATUS!=Resolved ASSIGNMENT="MY GROUP" | chart count

it returns 1 (but not always).

Does someone have an explanation for this and a solution?

Thanks.

Regard, Hans van Straten

Tags (1)
0 Karma
Reply

stratenh
Loves-to-Learn
‎11-23-2016 07:18 AM

My query was wrong. The dedup sorted nothing, because OPEN_TIME is the same. So sorting is different every time, as well as the remaining records after the dedup.

Sorry for taking your time.

Regards, Hans van Straten

0 Karma
Reply

TiagoTLD1
Communicator
‎11-21-2016 08:51 AM

Are you fixing your Time Range or is it a Relative Time Range? That could explain the intermittence of 0 and 1 values

0 Karma
Reply

stratenh
Loves-to-Learn
‎11-23-2016 12:20 AM

Maybe some additional info will help.

I created a dashboard with this query in it. I didn't notice the problem before we used the dashboard.

0 Karma
Reply

stratenh
Loves-to-Learn
‎11-22-2016 01:23 AM

It's a relative time range of 1 week. But swithing between the 2 queries back and forth didn't show any change in the results. The number of records is also very low. A couple of records per week after filtering on ASSIGNMENT. So I don't expect this to be the problem.

0 Karma
Reply

stratenh
Loves-to-Learn
‎11-22-2016 11:27 PM

At this moment I don't see the issue using a relative period of 1 week. Just to be sure, I now used a fixed time frame specifying a period from Monday morning until the next Monday morning: it's still there. So a relative period is not the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...