https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400013#M115935 <P>On lines with your query try the following run anywhere example based on <CODE>_internal index and sourcetype splunkd</CODE>, which works fine for me:</P> <PRE><CODE>index=_internal sourcetype="splunkd" "INFO" | stats count as totalCount | appendcols [ search index=_internal sourcetype="splunkd" "ERROR" | stats count as errorCount] | eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2) </CODE></PRE> <P>Also, based on the query provided in your question, your main search <CODE>index=logs source="*svc1*"</CODE> is the same for both <CODE>"transaction attempt"</CODE> and <CODE>"transaction error"</CODE> queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?</P> Wed, 16 Jan 2019 15:59:18 GMT niketn 2019-01-16T15:59:18Z https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400009#M115931 <P>hi apologies but i'm not very verse in splunk. i'm trying to run two separate queries in one search but i get the following error.</P> <PRE><CODE>index=logs source="*svc1*" "transaction attempt" | stats count as totalCount | appendcols | [search index=logs source="*svc1*" "transaction error" | stats count as errorCount] eval (errorPercentage = totalCount - errorCount \ totalCount) </CODE></PRE> <P><STRONG>Error</STRONG><BR /> <CODE>Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '205' of search query 'search index=nonprod_applogs source="*svc1-...{snipped} {errorcontext = endcols | [search ind}'.</CODE></P> Wed, 16 Jan 2019 01:44:45 GMT https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400009#M115931 jaj 2019-01-16T01:44:45Z https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400010#M115932 <P>@jaj try the following.</P> <PRE><CODE>index=logs source="*svc1*" "transaction attempt" | stats count as totalCount | appendcols [ search index=logs source="*svc1*" "transaction error" | stats count as errorCount] | eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2) </CODE></PRE> <P>However, in order to avoid subsearch limitations you could have tried the following search instead:</P> <PRE><CODE>index=logs source="*svc1*" "transaction attempt" OR "transaction error" | stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount | eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2) </CODE></PRE> Wed, 16 Jan 2019 02:41:31 GMT https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400010#M115932 niketn 2019-01-16T02:41:31Z https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400011#M115933 <P>Thanks @niketnilay however, i still get the same error with your first answer. also there is more than likely a good chance the second search will look at logs from another source (not sv1 but svc2) so i need to try to figure out first solution before consolidating logs. thx</P> <P>Error from number one solution:<BR /> <CODE>Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '211' of search query 'search index=logs source="*svc1...{snipped} {errorcontext = ls | [ search in}'.</CODE></P> Wed, 16 Jan 2019 12:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400011#M115933 jaj 2019-01-16T12:57:50Z https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400012#M115934 <P>@niketnilay the second one did work beautifully. however, still trying to figure out how to make 1 work because of two different log locations for each type of match (attempts vs errors). any info is super appreciated thanks</P> Wed, 16 Jan 2019 13:12:15 GMT https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400012#M115934 jaj 2019-01-16T13:12:15Z https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400013#M115935 <P>On lines with your query try the following run anywhere example based on <CODE>_internal index and sourcetype splunkd</CODE>, which works fine for me:</P> <PRE><CODE>index=_internal sourcetype="splunkd" "INFO" | stats count as totalCount | appendcols [ search index=_internal sourcetype="splunkd" "ERROR" | stats count as errorCount] | eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2) </CODE></PRE> <P>Also, based on the query provided in your question, your main search <CODE>index=logs source="*svc1*"</CODE> is the same for both <CODE>"transaction attempt"</CODE> and <CODE>"transaction error"</CODE> queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?</P> Wed, 16 Jan 2019 15:59:18 GMT https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400013#M115935 niketn 2019-01-16T15:59:18Z https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400014#M115936 <P>@niketnilay worked beautifully! thanks so much </P> Wed, 16 Jan 2019 18:14:52 GMT https://community.splunk.com/t5/Splunk-Search/Two-queries-in-one-SearchParser-Subsearch-error/m-p/400014#M115936 jaj 2019-01-16T18:14:52Z