Splunk Search

Search Job Investigation after search with no results shows "None"?

avoelk
Communicator

Hello,

the following search 

 

 

index=index1 message_type=query 
NOT 
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) 
NOT 
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip

 

 

shows me 23300 matched events and shows me a table in statistics with those results. 

but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it  shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me 5 million matches but doesn't show me anything in statistics. 

also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my tstat is as follows: 

 

 

 

|tstats count as count from datamodel=Network_Resolution 
where 
(message_type=query) by dns_request_client_ip

 

 

and then I try to combine it with the rest of the search as stated above via |search

 

 

 

|search 
NOT 
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) 
NOT 
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip

 

 

 

there must be something logically wrong with my approach, right? 

 

thanks a lot for any help. 

Labels (3)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where clause of the tstats commands must use field names present in the datamodel, which must include the DM object name.  DNS.message_type, for example.  I don't see dns_request_client_ip in the Network_Resolution datamodel, however.  Using a non-existing field in the by clause will produce zero results.

---
If this reply helps you, Karma would be appreciated.

avoelk
Communicator

ah gosh, that must be it. thanks a lot! I'll try it asap 🙂 

 

tnx rich!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...