Hi,
I have a search where Splunk data is joined with a lookup, and I need a timechart on one of the fields provided by the lookup, but I can't get it to work. Not sure what I'm doing wrong...
Here's the search, which works fine.
index=network sourcetype=ive_syslog host=*eraweb* "Primary authentication successful" | fields time, CORP_ID, host |dedup CORP_ID |table CORP_ID, host, time |eval location=case(host LIKE "%mmk%", "MMK", host LIKE "%rtd%", "RTP", host LIKE "%oma%", "OMA", host LIKE "%", "Others")|lookup tinypeople.csv CORP_ID OUTPUT CORP_ID, DISPLAY_NAME, COMPLETE_NAME, COST_CENTER, BUSINESS_UNIT_CODE, BUSINESS_GROUP_CODE, BUSINESS_GROUP_DESC, POSN_LOC_LOCALITY_CODE, BUSINESS_UNIT_DESC
I tried adding a |timechart count by BUSINESS_UNIT_DESC, but it comes back with "No Results found". What am I doing wrong?
↧