I have a problem with a query, that I'm trying to use on a dashboard. It works weird: sometimes it returns expected results, sometimes does not and shows instead "No result found". To understand what could be a problem I opened the query in Search window. Time window is "7 days", mode "Smart Mode", query is
File was moved to | timechart count span=1d
and it returns "No result found" message. see Image_2 attached.
I have made 3 observations with the query:
If I remove transformation "timechart", the query returns more than 5 thousands events. So data is definitely there.
If I revert query back to original (as above) - it returns "No result found" again. But if I change to Verbose mode it returns expected results. It is something, but there is no way to ask dashboard execute the query in Verbose mode, right?
I switched back to Smart mode - it returns "No result found" again and when I changed time window from "7 days" to "7 days window" - the query returns almost correct result. (see image_1) It is almost correct, as first value is wrong, because time windows slides, so part of first day is not included into search.
I spend hours searching an answer in Knowledge base, Documentation, googling, but with no success. What I'm doing wrong?
... View more