Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

table at first has results but in the end has 0 event

angelia_zhong
Engager
‎05-26-2015 05:44 AM

hi everybody,
I met very strange stiuation when I do the search. This is the code:
...
|transaction id mvlist=t startswith=eval(tri="1") endswith=eval(tri="4")
|eval id =mvindex (id, -1)
...
|table id duration realduration lat1 lat2 long1 long2
|outputcsv result.csv

At first i can see the results in the table. Until the finalizing jobs I can see the results too. The finalizing jobs takes a long time. It took about 2 Hours during the search. But in the End there is 0 Event. It said: "Found no results to write to file 'result.csv'." No Warnings took place.

I have no ideal why this will happen. This is very strange. Who knows, how to fix the problem. Thank you very much.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-06-2015 07:55 AM

This is somewhat normal if you are piping to many "rolling up"-type commands (e.g. stats) because Splunk is designed to give you preliminary (NOT PARTIAL) results along the way while your search is processing. Normally this is very useful but in some cases like yours, it can be misleading and confusing. Such complicated searches also may take a while to finalize so that is normal, too. You should never forget that any search may show preliminary results that are later properly vacated using the plenary results in the finalization stage. If you believe that you should have results, then you almost certainly have a mistake in your search string. To find the mistake, throw away each post-pipe clause, one by one, starting from the right side and make sure at each stage that the preliminary stages' results look the way they should. As the others have said, we really cannot tell more without your exact search and some real sample data.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2015 06:22 AM

The answer may have something to do with the omitted parts of your search. Can you share a little bit more?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

immortalraghava
Path Finder
‎05-26-2015 06:46 AM

I think this is similar to this question ... http://answers.splunk.com/answers/238267/search-with-result-shows-no-results-found-error-af.html

Hope someone answers !!

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...