https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580031#M202103 <P>This returns an empty field&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kishan2356_0-1641401790685.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17417i314987358313529B/image-size/medium?v=v2&amp;px=400" role="button" title="kishan2356_0-1641401790685.png" alt="kishan2356_0-1641401790685.png" /></span></P><P>&nbsp;</P> Wed, 05 Jan 2022 16:56:37 GMT kishan2356 2022-01-05T16:56:37Z https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580024#M202101 <P>I have two searches where I need to run an stats count on to do some calculations. First search&nbsp; is</P><P>index=xxx wf_id=xxx wf_env=xxx xxx | stats count</P><P>&nbsp;</P><P>Second search is&nbsp;</P><P>index=xxx wf_id=xxx wf_env=xxx&nbsp; &nbsp; sourcetype=xxx usecase=xxx&nbsp; | stats count by request_id</P><P>&nbsp;</P><P>First search uses a simple stats to get its count, but the second search uses stats count by request_id so I am having trouble getting the counts for both. Ideally I would like to get the counts for both searches and divide them. I've used appendcols but it returns empty fields for both searches. Any guidance on how to get counts for these searches would be helpful!&nbsp;</P><P>&nbsp;</P><P>Working example:</P><TABLE><TBODY><TR><TD width="156"><P>_time</P></TD><TD width="156"><P>Search 1 counts</P></TD><TD width="156"><P>Search 2 counts</P></TD><TD width="156"><P>Search 1/ Search 2</P></TD></TR><TR><TD width="156"><P>00:30</P></TD><TD width="156"><P>50</P></TD><TD width="156"><P>25</P></TD><TD width="156"><P>2</P></TD></TR><TR><TD width="156"><P>00:35</P></TD><TD width="156"><P>100</P></TD><TD width="156"><P>25</P></TD><TD width="156"><P>4</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P> Wed, 05 Jan 2022 16:07:52 GMT https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580024#M202101 kishan2356 2022-01-05T16:07:52Z https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580029#M202102 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/212839">@kishan2356</a>,</P><P>did you tried appendpipe?</P><P>something like this:</P><LI-CODE lang="markup">index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx | stats count by request_id | appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count rename count AS total ] | eval perc=count/total</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 05 Jan 2022 16:39:13 GMT https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580029#M202102 gcusello 2022-01-05T16:39:13Z https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580031#M202103 <P>This returns an empty field&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kishan2356_0-1641401790685.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17417i314987358313529B/image-size/medium?v=v2&amp;px=400" role="button" title="kishan2356_0-1641401790685.png" alt="kishan2356_0-1641401790685.png" /></span></P><P>&nbsp;</P> Wed, 05 Jan 2022 16:56:37 GMT https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580031#M202103 kishan2356 2022-01-05T16:56:37Z https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580032#M202104 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/212839">@kishan2356</a>,</P><P>in my test I have two rows: one with empty field and one with the valued fiel, you could filter for the fields with the value:</P><LI-CODE lang="markup">index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx | stats count by request_id | appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count | rename count AS total ] | search total=* | eval perc=count/total</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 05 Jan 2022 17:05:28 GMT https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580032#M202104 gcusello 2022-01-05T17:05:28Z https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580489#M202236 <P>Thank you for the reply&nbsp;<SPAN>Giuseppe,</SPAN></P><P>Hi am still getting black fields when using appendpipe.</P> Mon, 10 Jan 2022 16:56:33 GMT https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580489#M202236 kishan2356 2022-01-10T16:56:33Z https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580494#M202238 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/212839">@kishan2356</a>,</P><P>please try this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx | bin _time span=5m | stats count by _bin request_id | append [ search index=xxx wf_id=xxx wf_env=xxx xxx | bin _time span=5m | stats count BY _time | rename count AS total ] | stats sum(count) AS count values(total) AS total BY _time | eval perc=count/total</LI-CODE><P>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Mon, 10 Jan 2022 17:27:51 GMT https://community.splunk.com/t5/Splunk-Search/multiple-searches-for-stats/m-p/580494#M202238 gcusello 2022-01-10T17:27:51Z