https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138807#M38131 <P>Nice catch <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> , updated answer to correct this.</P> Tue, 22 Apr 2014 17:49:36 GMT somesoni2 2014-04-22T17:49:36Z https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138803#M38127 <P>I am new to creating subsearches and have completed a few of them successfully. This latest example is causing me a bit of greif. </P> <P>I am trying to <BR /> 1. do a stats count to provide error count in one search<BR /> 2. sum a value to create a transaction count from a different data source<BR /> 3. display the results in a table or chart like below</P> <P>transactions 10000<BR /> errors 100</P> <P>Here is my search<BR /> index=dspro sourcetype=telemetry | chart sum(TotalTransactions) as transaction_count [search index=dspro sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph) | stats count as error_count] | chart, transaction_count, error_count</P> <P>Here is the error it generates<BR /> Error in 'chart' command: The argument '( ( error_count=25045 ) )' is invalid. </P> <P>Eventually I will want to create a third line in the chart that provides the percentage of errors. </P> <P>Please help</P> <P>Thank you<BR /> Don</P> Mon, 28 Sep 2020 16:26:10 GMT https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138803#M38127 DonDandrea 2020-09-28T16:26:10Z https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138804#M38128 <P>Try this</P> <PRE><CODE>index=dspro (sourcetype=telemetry) OR (sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph)) | stats sum(TotalTransactions) as transaction_count count(eval(sourcetype="bootlogmaster")) as error_count </CODE></PRE> Tue, 22 Apr 2014 17:33:30 GMT https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138804#M38128 somesoni2 2014-04-22T17:33:30Z https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138805#M38129 <P>I think you should replace <CODE>count(eval(sourcetype="telemetry"))</CODE> with <CODE>sum(TotalTransactions)</CODE>.</P> Tue, 22 Apr 2014 17:46:18 GMT https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138805#M38129 martin_mueller 2014-04-22T17:46:18Z https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138806#M38130 <P>That definately is a step closer. The only problem is that is doing a stats count to determine a value for transaction count. Transaction count needs to be determined by adding together all the values for the field TotalTransactions from the telemetry data.</P> Tue, 22 Apr 2014 17:49:06 GMT https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138806#M38130 DonDandrea 2014-04-22T17:49:06Z https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138807#M38131 <P>Nice catch <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> , updated answer to correct this.</P> Tue, 22 Apr 2014 17:49:36 GMT https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138807#M38131 somesoni2 2014-04-22T17:49:36Z https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138808#M38132 <P>Now we're talking. Thank you very much. You guys are awesome.</P> Wed, 23 Apr 2014 11:12:36 GMT https://community.splunk.com/t5/Splunk-Search/Error-with-subsearch/m-p/138808#M38132 DonDandrea 2014-04-23T11:12:36Z