https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456466#M129046 <P>I'm sorry I do not understand what I want to do.</P> <P>If only to extract<BR /> (your search)<BR /> |where where isnotnull(ErrorCnt)</P> <P>If conditional summary ex･･･<BR /> |stats sum(eval(if(isnotnull(ErrorCnt), Total,0))) AS Total</P> Wed, 25 Jul 2018 05:59:23 GMT HiroshiSatoh 2018-07-25T05:59:23Z https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456463#M129043 <P>Hi all,</P> <P>I have below query and the results like below table, is there a way that only search and display total count for the Users who have error(User1, User2, User3)?</P> <PRE><CODE> index=aaa sourcetype=bbb |eval errorByService=case(ErrorCode=400 AND match(uri,"/service1/*"),"service1",ErrorCode=400 AND match(uri,"/service2/*"),"service2",ErrorCode=400 AND match(uri,"/service3/*"),"service3")|stats count as ErrorCnt by User errorByService |appendcols [search index=aaa sourcetype=bbb |eval totalByService=case(match(uri,"/service1/*"),"service1",match(uri,"/service2/*"),"service2", match(uri,"/service3/*"),"service3")|stats count as Total by User totalByService] |eval ErrorRate=ErrorCnt/Total |fields User, errorByService, ErrorCnt, totalByService, Total, ErrorRate </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5419i55E0569B1D50B623/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 24 Jul 2018 09:24:25 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456463#M129043 Min1025 2018-07-24T09:24:25Z https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456464#M129044 <P>It is possible with ”addcoltotals” if you add a field for calculation.</P> <PRE><CODE>(your search) |eval Error=if(isnull(ErrorCnt),0,1) |addcoltotals labelfield=User label=TOTAL Error </CODE></PRE> Tue, 24 Jul 2018 11:02:55 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456464#M129044 HiroshiSatoh 2018-07-24T11:02:55Z https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456465#M129045 <P>Hi HiroshiSatoh,</P> <P>Thank you for your answer. Maybe there is a ambiguity for my question. My question is if it possible the User range for subsearch is only for those user who have error.</P> <P>In subsearch, it searched all Users' data, the results shows the "Total" for User1, User2...User8, but only User1,User2, User3 have error, I want to only search and show "Total" for User1,User2, User3 in subsearch, is it possible?<BR /> Expected results:<BR /> User errorByService ErrorCnt totalByService Total ErrorRate<BR /> User1 service1 2 service1 20 0.1<BR /> User2 service1 3 service1 24 0.125<BR /> User3 service2 5 service2 35 0.142857143</P> Wed, 25 Jul 2018 04:46:18 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456465#M129045 Min1025 2018-07-25T04:46:18Z https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456466#M129046 <P>I'm sorry I do not understand what I want to do.</P> <P>If only to extract<BR /> (your search)<BR /> |where where isnotnull(ErrorCnt)</P> <P>If conditional summary ex･･･<BR /> |stats sum(eval(if(isnotnull(ErrorCnt), Total,0))) AS Total</P> Wed, 25 Jul 2018 05:59:23 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-subsearch/m-p/456466#M129046 HiroshiSatoh 2018-07-25T05:59:23Z