Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Job Investigation after search with no results shows "None"?

avoelk
Communicator
‎12-07-2022 03:10 AM

Hello,

the following search 

 

 

index=index1 message_type=query 
NOT 
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) 
NOT 
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip

 

 

shows me 23300 matched events and shows me a table in statistics with those results. 

but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it  shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me 5 million matches but doesn't show me anything in statistics. 

also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my tstat is as follows: 

 

 

 

|tstats count as count from datamodel=Network_Resolution 
where 
(message_type=query) by dns_request_client_ip

 

 

and then I try to combine it with the rest of the search as stated above via |search

 

 

 

|search 
NOT 
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) 
NOT 
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip

 

 

 

there must be something logically wrong with my approach, right? 

 

thanks a lot for any help. 

Labels (3)
Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2022 06:14 AM

The where clause of the tstats commands must use field names present in the datamodel, which must include the DM object name.  DNS.message_type, for example.  I don't see dns_request_client_ip in the Network_Resolution datamodel, however.  Using a non-existing field in the by clause will produce zero results.

---
If this reply helps you, Karma would be appreciated.
Reply

avoelk
Communicator
‎12-07-2022 07:01 AM

ah gosh, that must be it. thanks a lot! I'll try it asap 🙂 

 

tnx rich!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...