No results found, still chart and stats return 1.

stratenh · ‎11-20-2016

Hi,

I have a query which returns no results:

index="itsm" sourcetype=incidents | dedup NUMBER sortby OPEN_TIME | search STATUS!=Closed STATUS!=Resolved ASSIGNMENT="MY GROUP"

but when I add chart or stats:

index="itsm" sourcetype=incidents | dedup NUMBER sortby OPEN_TIME | search STATUS!=Closed STATUS!=Resolved ASSIGNMENT="MY GROUP" | chart count

it returns 1 (but not always).

Does someone have an explanation for this and a solution?

Thanks.

Regard, Hans van Straten

stratenh · ‎11-23-2016

My query was wrong. The dedup sorted nothing, because OPEN_TIME is the same. So sorting is different every time, as well as the remaining records after the dedup.

Sorry for taking your time.

Regards, Hans van Straten

TiagoTLD1 · ‎11-21-2016

Are you fixing your Time Range or is it a Relative Time Range? That could explain the intermittence of 0 and 1 values

stratenh · ‎11-23-2016

Maybe some additional info will help.

I created a dashboard with this query in it. I didn't notice the problem before we used the dashboard.

stratenh · ‎11-22-2016

It's a relative time range of 1 week. But swithing between the 2 queries back and forth didn't show any change in the results. The number of records is also very low. A couple of records per week after filtering on ASSIGNMENT. So I don't expect this to be the problem.

stratenh · ‎11-22-2016

At this moment I don't see the issue using a relative period of 1 week. Just to be sure, I now used a fixed time frame specifying a period from Monday morning until the next Monday morning: it's still there. So a relative period is not the issue.

No results found, still chart and stats return 1.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life