Splunk Search

Search Job Investigation after search with no results shows "None"?

avoelk
Communicator

Hello,

the following search 

 

 

index=index1 message_type=query 
NOT 
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) 
NOT 
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip

 

 

shows me 23300 matched events and shows me a table in statistics with those results. 

but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it  shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me 5 million matches but doesn't show me anything in statistics. 

also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my tstat is as follows: 

 

 

 

|tstats count as count from datamodel=Network_Resolution 
where 
(message_type=query) by dns_request_client_ip

 

 

and then I try to combine it with the rest of the search as stated above via |search

 

 

 

|search 
NOT 
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) 
NOT 
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip

 

 

 

there must be something logically wrong with my approach, right? 

 

thanks a lot for any help. 

Labels (3)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where clause of the tstats commands must use field names present in the datamodel, which must include the DM object name.  DNS.message_type, for example.  I don't see dns_request_client_ip in the Network_Resolution datamodel, however.  Using a non-existing field in the by clause will produce zero results.

---
If this reply helps you, Karma would be appreciated.

avoelk
Communicator

ah gosh, that must be it. thanks a lot! I'll try it asap 🙂 

 

tnx rich!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...