https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/525922#M148430 <P>Is there a specifics source type the the first one can be referenced against?<BR /><BR />I find the following approach to work best:&nbsp; I write two independent searches&nbsp; to bring the datasets we want.<BR /><BR />Write a search to do an OR statement&nbsp; &nbsp;((Search1 ) OR (Search2 )) pipe to stats&nbsp; I have done counts against matches on sourcetype.&nbsp; In your example I don't know if the first search as an exact sourcetype.&nbsp; I did example stating "firstsourcetype" as a variable to replace twice in the search with the actual sourcetype to be used:<BR /><BR />The following search is intended to search both searches and then | stats (count matches by sourcetype or no by clause as necessary based on objective, then do the eval then table<BR /><BR />( sourcetype="firstsourcetype" "Carrier Failure: provider_name=*" ) OR<BR />( sourcetype="supervisor" host="prod-celery-gateway-0*" "driver dispatch_request: Sending request to" NOT failed )<BR />| stats count(eval(LIKE(sourcetype,"firstsourcetype"))) as total_carrier_errors, count(eval(LIKE(sourcetype,"supervisor"))) as total_requests<BR />| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)<BR />| table total_carrier_errors total_requests<BR /><BR /></P> Wed, 21 Oct 2020 22:25:56 GMT kennetkline 2020-10-21T22:25:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/524727#M148017 <DIV>Basically, I have a problem in which I want to run two queries the first query will return me the total number of requests and the second query will return requests that fail so that i can calculate the percentage but I am unable to do this with a subquery.</DIV><DIV>&nbsp;</DIV><DIV>Currently, I am using this query</DIV><DIV>&nbsp;</DIV><PRE>"Carrier Failure: provider_name=*" <BR />| dedup application_id | stats count AS total_carrier_errors <BR />| append <BR />[search host="prod-celery-gateway-0*" sourcetype="supervisor" <BR />"driver dispatch_request: Sending request to" NOT failed <BR />| stats count AS total_requests] <BR />| table total_carrier_errors total_requests <BR />| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)</PRE><P>Can anyone guide me with this?<BR /><BR />Thank You!</P> Wed, 14 Oct 2020 20:55:52 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/524727#M148017 haiderzada 2020-10-14T20:55:52Z https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/524730#M148018 Could this helps you <A href="https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308390" target="_blank">https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/m-p/308390</A> ? Wed, 14 Oct 2020 21:00:09 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/524730#M148018 isoutamo 2020-10-14T21:00:09Z https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/524731#M148019 <P>No this will not help me. Actually, my problem is different from this one I want to run two separate queries one will return me the total number of requests and the second query will return me the number of the failed requests and then I want to calculate the percentage based on these two returned values.</P> Wed, 14 Oct 2020 21:13:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/524731#M148019 haiderzada 2020-10-14T21:13:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/525922#M148430 <P>Is there a specifics source type the the first one can be referenced against?<BR /><BR />I find the following approach to work best:&nbsp; I write two independent searches&nbsp; to bring the datasets we want.<BR /><BR />Write a search to do an OR statement&nbsp; &nbsp;((Search1 ) OR (Search2 )) pipe to stats&nbsp; I have done counts against matches on sourcetype.&nbsp; In your example I don't know if the first search as an exact sourcetype.&nbsp; I did example stating "firstsourcetype" as a variable to replace twice in the search with the actual sourcetype to be used:<BR /><BR />The following search is intended to search both searches and then | stats (count matches by sourcetype or no by clause as necessary based on objective, then do the eval then table<BR /><BR />( sourcetype="firstsourcetype" "Carrier Failure: provider_name=*" ) OR<BR />( sourcetype="supervisor" host="prod-celery-gateway-0*" "driver dispatch_request: Sending request to" NOT failed )<BR />| stats count(eval(LIKE(sourcetype,"firstsourcetype"))) as total_carrier_errors, count(eval(LIKE(sourcetype,"supervisor"))) as total_requests<BR />| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)<BR />| table total_carrier_errors total_requests<BR /><BR /></P> Wed, 21 Oct 2020 22:25:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Subquery/m-p/525922#M148430 kennetkline 2020-10-21T22:25:56Z