Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple searches for stats

kishan2356
Explorer
‎01-05-2022 08:07 AM

I have two searches where I need to run an stats count on to do some calculations. First search  is

index=xxx wf_id=xxx wf_env=xxx xxx | stats count

 

Second search is 

index=xxx wf_id=xxx wf_env=xxx    sourcetype=xxx usecase=xxx  | stats count by request_id

 

First search uses a simple stats to get its count, but the second search uses stats count by request_id so I am having trouble getting the counts for both. Ideally I would like to get the counts for both searches and divide them. I've used appendcols but it returns empty fields for both searches. Any guidance on how to get counts for these searches would be helpful! 

 

Working example:

_time

Search 1 counts

Search 2 counts

Search 1/ Search 2

00:30

50

25

2

00:35

100

25

4

 

 

Labels (5)
Labels
0 Karma
Reply

kishan2356
Explorer
‎01-05-2022 08:56 AM

This returns an empty field 

kishan2356_0-1641401790685.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2022 09:05 AM

Hi @kishan2356,

in my test I have two rows: one with empty field and one with the valued fiel, you could filter for the fields with the value:

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| stats count by request_id
| appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count | rename count AS total ]
| search total=*
| eval perc=count/total

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2022 08:39 AM

Hi @kishan2356,

did you tried appendpipe?

something like this:

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| stats count by request_id
| appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count  rename count AS total ]
| eval perc=count/total

Ciao.

Giuseppe

0 Karma
Reply

kishan2356
Explorer
‎01-10-2022 08:56 AM

Thank you for the reply Giuseppe,

Hi am still getting black fields when using appendpipe.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2022 09:27 AM

Hi @kishan2356,

please try this:

 

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| bin _time span=5m
| stats count by _bin request_id
| append [ search 
   index=xxx wf_id=xxx wf_env=xxx xxx 
   | bin _time span=5m 
   | stats count BY _time 
   | rename count AS total 
   ]
| stats sum(count) AS count values(total) AS total BY _time
| eval perc=count/total

 

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...