Why am I getting No results when when using "stats...

Liran · ‎04-19-2022

I'm attempting to run a query and I've run into a really weird situation where if I run a query with "head 10 | fields *" I'm getting results but if I use "stats" with any field it does not return results.

For example, this query is returning the results:

index=main sourcetype=o365:management:activity Field1=Value1
| head 10
| fields *

This is returning no results:

index=main sourcetype=o365:management:activity Field1=Value1
| stats count by _time

Somehow this does work and returns the result

index=main sourcetype=o365:management:activity Field1=Value1
| head 10
| stats count by _time

I've looked into it and did not manage to find similar issues, did anyone see anything similar before?

gcusello · ‎04-19-2022

Hi @Liran,

it's avery strange behavious that I never saw.

I suppose that you're using an user with admin grants.

Anyway, did you tried using a different field as index or sourcetype?

Did you tried to use the Verbose Mode?

Ciao.

Giuseppe

Liran · ‎04-19-2022

I forgot to mention I'm running queries trough an API so I don't have access to the Verbose Mode AFAIK.

I don't think there are any issues related to permissions and with other indices or sourcetypes it seems to work fine.

I've added a 3rd example to the original post with an addition query I've used that works.

gcusello · ‎04-19-2022

Hi @Liran,

I haven't a large experience in API using, so I hint to open a Case to Splunk Support.

ciao.

Giuseppe

Why am I getting No results when when using "stats"?

count

fields

stats

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?