I have a following splunk search query:
"| datamodel ticket_feed_dm ticket_feed_obj search|dedup ticket_feed_obj.ticket_number| stats count by ticket_feed_obj.asset_id |rename ticket_feed_obj.asset_id AS asset_id |
eval type= asset_id,label=asset_id|search count!=0"
Iam not able to add : search ticket_feed_obj.current_ticket_state="Cancelled" in the query.
No result found is shown
However same query is running fine in table/other visualization but not in my bubble chart
This stats
command eliminates all fields not named... that is, all fields except count
and ticket_feed_obj.asset_id
...
| stats count by ticket_feed_obj.asset_id
Anything that you want to keep has to be in there somewhere. Here's a first shot at a fix, keeping the most recent ticket_state and ticket_number.
| datamodel ticket_feed_dm ticket_feed_obj search
| dedup ticket_feed_obj.ticket_number
| stats latest(ticket_feed_obj.current_ticket_state) as ticket_state
latest(ticket_feed_obj.ticket_number) as ticket_number count
by ticket_feed_obj.asset_id
| rename ticket_feed_obj.asset_id AS asset_id
| eval type= asset_id, label=asset_id
| search count!=0
| search ticket_state="Cancelled"