I have a search where Splunk data is joined with a lookup, and I need a timechart on one of the fields provided by the lookup, but I can't get it to work. Not sure what I'm doing wrong...
Here's the search, which works fine.
index=network sourcetype=ive_syslog host=*eraweb* "Primary authentication successful" | fields time, CORP_ID, host |dedup CORP_ID |table CORP_ID, host, time |eval location=case(host LIKE "%mmk%", "MMK", host LIKE "%rtd%", "RTP", host LIKE "%oma%", "OMA", host LIKE "%", "Others")|lookup tinypeople.csv CORP_ID OUTPUT CORP_ID, DISPLAY_NAME, COMPLETE_NAME, COST_CENTER, BUSINESS_UNIT_CODE, BUSINESS_GROUP_CODE, BUSINESS_GROUP_DESC, POSN_LOC_LOCALITY_CODE, BUSINESS_UNIT_DESC
I tried adding a
|timechart count by BUSINESS_UNIT_DESC, but it comes back with "No Results found". What am I doing wrong?
Is the time field not in the final results? That one is critical for the timechart to work.
Also, if you do
dedup and then
table, consider replacing both with a
stats command for improved performance.