|
I've noticed that on Splunk 4.1.3 the timechart and chart commands, when used with "limit=0", the "count" aggregation and split-by-clause, will add a "count" column to the results. The results table will show something like: That fake, all-zeros, data series will display in reports and clicking on it would drilldown to a search filtered with host=count (in this example). This happens even if using count(_raw), but does not happen with other stats, such as "max". Splunk is 4.1.3 on a 64bit Linux box |
One Answer:
|
I can confirm that this is a bug. Use the fields workaround for now We discovered the bug ourselves a few weeks ago and hopefully it'll be fixed before too long. (its filed as SPL-32241 for splunkers following along) |
A workaround would be to pipe it all through the "fields" command
... | timechart limit=0 count by host | fields - count
to remove the erroneous column