https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143012#M39714 <P>I have a query that combines 1 search and 2 sub-searches. The main search is a summary index and sum(count) in the timechart to look right. The 2 sub searches do not need sum(count) - they just need "count" so they are represented properly on the timechart.</P> <P>I was thinking if there was a way to convert sum(count) to count I would be good. </P> <P>This summary index runs every 15 minutes and buckets by the minute:</P> <P>Here's my Attempt to translate sum(count) to count:<BR /> index="summary_onemin" error | evenstats sum(count) as count by _time | append [| search index=power_user "null" | bucket _time span=2m | eval CODE=powerNULL] | timechart span=2m by CODE</P> <P>Without the subsearch the search would look like this and works as intended:<BR /> index="summary_onemin" error | timechart sum(count) as COUNT by CODE</P> Mon, 28 Sep 2020 17:04:28 GMT subtrakt 2020-09-28T17:04:28Z https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143012#M39714 <P>I have a query that combines 1 search and 2 sub-searches. The main search is a summary index and sum(count) in the timechart to look right. The 2 sub searches do not need sum(count) - they just need "count" so they are represented properly on the timechart.</P> <P>I was thinking if there was a way to convert sum(count) to count I would be good. </P> <P>This summary index runs every 15 minutes and buckets by the minute:</P> <P>Here's my Attempt to translate sum(count) to count:<BR /> index="summary_onemin" error | evenstats sum(count) as count by _time | append [| search index=power_user "null" | bucket _time span=2m | eval CODE=powerNULL] | timechart span=2m by CODE</P> <P>Without the subsearch the search would look like this and works as intended:<BR /> index="summary_onemin" error | timechart sum(count) as COUNT by CODE</P> Mon, 28 Sep 2020 17:04:28 GMT https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143012#M39714 subtrakt 2020-09-28T17:04:28Z https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143013#M39715 <P>Can you post your full search?</P> Tue, 15 Jul 2014 15:51:33 GMT https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143013#M39715 somesoni2 2014-07-15T15:51:33Z https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143014#M39716 <P>Try this</P> <PRE><CODE> index="summary_onemin" error | table _time CODE count | append [search index=power_user "null" | bucket _time span=2m | eval CODE=powerNULL | stats count by _time, CODE] | timechart span=2m sum(count) as count by CODE </CODE></PRE> Tue, 15 Jul 2014 21:00:30 GMT https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143014#M39716 somesoni2 2014-07-15T21:00:30Z https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143015#M39717 <P>Thanks Somesoni!</P> Tue, 15 Jul 2014 23:45:48 GMT https://community.splunk.com/t5/Splunk-Search/Query-help-with-search-using-sum-count-and-2-subsearches-using/m-p/143015#M39717 subtrakt 2014-07-15T23:45:48Z