Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does my timechart search return "No results found"?

a212830
Champion
‎02-06-2016 04:32 PM

Hi,

I have a search where Splunk data is joined with a lookup, and I need a timechart on one of the fields provided by the lookup, but I can't get it to work. Not sure what I'm doing wrong...

Here's the search, which works fine. 

index=network sourcetype=ive_syslog host=*eraweb* "Primary authentication successful" | fields time, CORP_ID, host |dedup CORP_ID |table CORP_ID, host, time  |eval location=case(host LIKE "%mmk%", "MMK", host LIKE "%rtd%", "RTP", host LIKE "%oma%", "OMA", host LIKE "%", "Others")|lookup tinypeople.csv CORP_ID  OUTPUT  CORP_ID, DISPLAY_NAME, COMPLETE_NAME, COST_CENTER, BUSINESS_UNIT_CODE, BUSINESS_GROUP_CODE, BUSINESS_GROUP_DESC, POSN_LOC_LOCALITY_CODE, BUSINESS_UNIT_DESC

I tried adding a |timechart count by BUSINESS_UNIT_DESC, but it comes back with "No Results found". What am I doing wrong?

0 Karma
Reply

Anantha123
Communicator
‎09-26-2019 09:43 AM

try this

index=network sourcetype=ive_syslog host=*eraweb* "Primary authentication successful"
| lookup tinypeople.csv CORP_ID
| timechart count by BUSINESS_UNIT_DESC

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎02-12-2016 02:17 PM

Is the time field not in the final results? That one is critical for the timechart to work.

Also, if you do dedup and then table, consider replacing both with a stats command for improved performance.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-06-2016 05:16 PM

Can you confirm that in your search (without timechart) that the field "BUSINESS_UNIT_DESC" actually has data in it?

0 Karma
Reply

a212830
Champion
‎02-06-2016 05:46 PM

Yes, it returns a table of information, and that field is populated.

0 Karma
Reply

renjith_nair
Legend
‎02-06-2016 06:17 PM

Can you try this ?

your search |eval BUSINESS_UNIT_DESC=coalesce(BUSINESS_UNIT_DESC,"NOT FOUND"|timechart count by BUSINESS_UNIT_DESC
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

a212830
Champion
‎02-06-2016 06:15 PM

Got it. Never mind.. Thanks!

0 Karma
Reply

ppablo
Retired
‎02-07-2016 12:45 PM

Hi @a212830

Can you confirm what the issue was and share the answer below for other users to resolve this post?

0 Karma
Reply

renjith_nair
Legend
‎02-06-2016 07:50 PM

out of curiosity , what was the problem?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...