I've noticed that on Splunk 4.1.3 the timechart and chart commands, when used with "limit=0", the "count" aggregation and split-by-clause, will add a "count" column to the results.
... | chart count limit=0 over _time by host
... | timechart limit=0 count by host
The results table will show something like:
_time host1 host2 count host3 ....
That fake, all-zeros, data series will display in reports and clicking on it would drilldown to a search filtered with host=count (in this example).
This happens even if using count(_raw), but does not happen with other stats, such as "max".
Splunk is 4.1.3 on a 64bit Linux box
A workaround would be to pipe it all through the "fields" command
... | timechart limit=0 count by host | fields - count
to remove the erroneous column
I can confirm that this is a bug. Use the fields workaround for now
<your search> | timechart limit=0 count by host | fields - count
We discovered the bug ourselves a few weeks ago and hopefully it'll be fixed before too long.
(its filed as SPL-32241 for splunkers following along)
View solution in original post