https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510739#M142967 <P>There are a couple of lapses in that query.</P><P>The <FONT face="courier new,courier">eval</FONT> uses fields (<FONT face="courier new,courier">max(total_atc_events)</FONT> and <FONT face="courier new,courier">max(atc_failures)</FONT>)&nbsp; that don't exist.&nbsp; <FONT face="courier new,courier">max</FONT> is a <FONT face="courier new,courier">stats</FONT> function, not an <FONT face="courier new,courier">eval</FONT> function.</P><P>There seems to be some confusion over how append works.&nbsp; I'll try to explain.</P><P>The main search returns a set of results with fields "count" and "total_atc_events".</P><P>The subsearch within append returns a separate set of results with fields "count" and "atc_failures".</P><P>It's like writing two shopping lists on the same page.&nbsp; There's nothing to tie them together other than being on the same paper.</P><P>The solution is simple.&nbsp; Use the stats command to correlate the two sets of results based on one or more common fields.&nbsp; Do the events have a common field?&nbsp;</P><LI-CODE lang="markup">index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.event"=ATC_CLICK | stats count by log.event |rename log.event as total_atc_events | append [ search index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.msg"="ATC click failure" | stats count by log.msg | rename log.msg as atc_failures ] | stats values(*) as * by &lt;some common field name&gt; | eval error = max(total_atc_events) / max(atc_failures) | stats count by error</LI-CODE> Thu, 23 Jul 2020 21:09:37 GMT richgalloway 2020-07-23T21:09:37Z https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510735#M142965 <P>Hi team, I want to divide the output result of one query with output of second query and get a remainder. I am using the following query but unable to get any results for this<BR /><BR />index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.event"=ATC_CLICK | stats count by log.event |rename log.event as total_atc_events | append [ search index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.msg"="ATC click failure" | stats count by log.msg | rename log.msg as atc_failures ] | eval error = max(total_atc_events) / max(atc_failures) | stats count by error<BR />Can anyone please assist ?</P> Thu, 23 Jul 2020 20:17:16 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510735#M142965 preetham2215 2020-07-23T20:17:16Z https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510739#M142967 <P>There are a couple of lapses in that query.</P><P>The <FONT face="courier new,courier">eval</FONT> uses fields (<FONT face="courier new,courier">max(total_atc_events)</FONT> and <FONT face="courier new,courier">max(atc_failures)</FONT>)&nbsp; that don't exist.&nbsp; <FONT face="courier new,courier">max</FONT> is a <FONT face="courier new,courier">stats</FONT> function, not an <FONT face="courier new,courier">eval</FONT> function.</P><P>There seems to be some confusion over how append works.&nbsp; I'll try to explain.</P><P>The main search returns a set of results with fields "count" and "total_atc_events".</P><P>The subsearch within append returns a separate set of results with fields "count" and "atc_failures".</P><P>It's like writing two shopping lists on the same page.&nbsp; There's nothing to tie them together other than being on the same paper.</P><P>The solution is simple.&nbsp; Use the stats command to correlate the two sets of results based on one or more common fields.&nbsp; Do the events have a common field?&nbsp;</P><LI-CODE lang="markup">index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.event"=ATC_CLICK | stats count by log.event |rename log.event as total_atc_events | append [ search index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.msg"="ATC click failure" | stats count by log.msg | rename log.msg as atc_failures ] | stats values(*) as * by &lt;some common field name&gt; | eval error = max(total_atc_events) / max(atc_failures) | stats count by error</LI-CODE> Thu, 23 Jul 2020 21:09:37 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510739#M142967 richgalloway 2020-07-23T21:09:37Z https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510756#M142993 <P>index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.event"=ATC_CLICK<BR />| stats count as total_atc_events by log.event<BR />| appendcols<BR />[ search index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.msg"="ATC click failure"<BR />| stats count as atc_failures by log.msg ]<BR /><SPAN>| eval error = max(total_atc_events) / max(atc_failures)<BR /><BR /></SPAN>if it's going to run&nbsp;<STRONG>eval</STRONG>, like above.&nbsp;<BR />I'm not sure what you want.&nbsp;<BR /><BR />index="wcnp_search-frontend" kubernetes.container_name=search-electrode-app "log.event"=ATC_CLICK OR "log.msg"="ATC click failure"&nbsp;<BR />| stats count(eval(log.event="ATC_CLICK")) as&nbsp;<SPAN>total_atc_events count(eval(log.msg="ATC click failure")) as atc_faiures<BR />| eval error = round(atc_failures / total_atc_events * 100,2)."%"<BR /><BR />Isn't that good enough?</SPAN></P> Thu, 23 Jul 2020 23:57:16 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-divide-output-of-two-queries/m-p/510756#M142993 to4kawa 2020-07-23T23:57:16Z