Hi,
I have a search where Splunk data is joined with a lookup, and I need a timechart on one of the fields provided by the lookup, but I can't get it to work. Not sure what I'm doing wrong...
Here's the search, which works fine.
index=network sourcetype=ive_syslog host=*eraweb* "Primary authentication successful" | fields time, CORP_ID, host |dedup CORP_ID |table CORP_ID, host, time |eval location=case(host LIKE "%mmk%", "MMK", host LIKE "%rtd%", "RTP", host LIKE "%oma%", "OMA", host LIKE "%", "Others")|lookup tinypeople.csv CORP_ID OUTPUT CORP_ID, DISPLAY_NAME, COMPLETE_NAME, COST_CENTER, BUSINESS_UNIT_CODE, BUSINESS_GROUP_CODE, BUSINESS_GROUP_DESC, POSN_LOC_LOCALITY_CODE, BUSINESS_UNIT_DESC
I tried adding a |timechart count by BUSINESS_UNIT_DESC
, but it comes back with "No Results found". What am I doing wrong?
try this
index=network sourcetype=ive_syslog host=*eraweb* "Primary authentication successful"
| lookup tinypeople.csv CORP_ID
| timechart count by BUSINESS_UNIT_DESC
Is the time field not in the final results? That one is critical for the timechart to work.
Also, if you do dedup
and then table
, consider replacing both with a stats
command for improved performance.
Can you confirm that in your search (without timechart) that the field "BUSINESS_UNIT_DESC" actually has data in it?
Yes, it returns a table of information, and that field is populated.
Can you try this ?
your search |eval BUSINESS_UNIT_DESC=coalesce(BUSINESS_UNIT_DESC,"NOT FOUND"|timechart count by BUSINESS_UNIT_DESC
Got it. Never mind.. Thanks!
Hi @a212830
Can you confirm what the issue was and share the answer below for other users to resolve this post?
out of curiosity , what was the problem?