https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252303#M75479 <P>Hi ,<BR /> I am using two queries and then want to use the <STRONG>status</STRONG> from the first query and the <STRONG>DP_Time</STRONG> from the second query to display a chart.</P> <P>I can get the count of both but cant use "by status" or "count over status" statement.</P> <PRE><CODE>index="np_dpa" "*-api-monitor" PROXYNAME=mpgw_SMARTtrek* EventType="[request]" OR EventType="[error]" | eval status=case(EventType="[error]","Fail",EventType="[request]","Success") | append [search index=np_dpa PROXYNAME=mpgw_SMARTtrekTelematicsAPI latency| eval Back_Time = abs(bs_conn_attempt-res_hdr_rec)/1000 | eval Req_Time = abs(req_transmitted-req_hdr_rd)/1000 | eval Resp_Time = abs(res_hdr_rec-res_transmitted)/1000 | eval Total_Time = abs(res_transmitted-req_hdr_rd)/1000 |eval DP_Time=abs(Req_Time + Resp_Time)] |chart avg(DP_Time) count over status </CODE></PRE> Fri, 29 Jan 2016 18:43:09 GMT athorat 2016-01-29T18:43:09Z https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252303#M75479 <P>Hi ,<BR /> I am using two queries and then want to use the <STRONG>status</STRONG> from the first query and the <STRONG>DP_Time</STRONG> from the second query to display a chart.</P> <P>I can get the count of both but cant use "by status" or "count over status" statement.</P> <PRE><CODE>index="np_dpa" "*-api-monitor" PROXYNAME=mpgw_SMARTtrek* EventType="[request]" OR EventType="[error]" | eval status=case(EventType="[error]","Fail",EventType="[request]","Success") | append [search index=np_dpa PROXYNAME=mpgw_SMARTtrekTelematicsAPI latency| eval Back_Time = abs(bs_conn_attempt-res_hdr_rec)/1000 | eval Req_Time = abs(req_transmitted-req_hdr_rd)/1000 | eval Resp_Time = abs(res_hdr_rec-res_transmitted)/1000 | eval Total_Time = abs(res_transmitted-req_hdr_rd)/1000 |eval DP_Time=abs(Req_Time + Resp_Time)] |chart avg(DP_Time) count over status </CODE></PRE> Fri, 29 Jan 2016 18:43:09 GMT https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252303#M75479 athorat 2016-01-29T18:43:09Z https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252304#M75480 <P>Although status exists in both sets of results, DP_Time does not. So, when you do a <CODE>stats function(field) by someotherfield</CODE>, if <CODE>someotherfield</CODE> does not exist in both sets of results, you will get zero results.</P> Fri, 29 Jan 2016 18:49:14 GMT https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252304#M75480 masonmorales 2016-01-29T18:49:14Z https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252305#M75481 <P>instead of append can I join it some how?</P> Fri, 29 Jan 2016 18:57:32 GMT https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252305#M75481 athorat 2016-01-29T18:57:32Z https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252306#M75482 <P>How are both the result set related? Both status and DP_Time appear to be available in different events, so unless you've a common field correlating them, the graph you're looking is not possible.</P> Fri, 29 Jan 2016 19:11:35 GMT https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252306#M75482 somesoni2 2016-01-29T19:11:35Z https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252307#M75483 <P>@somesoni2 We have TID and Proxyname common between both the queries</P> Fri, 29 Jan 2016 22:03:04 GMT https://community.splunk.com/t5/Splunk-Search/quot-Count-Over-quot-Statement-not-working/m-p/252307#M75483 athorat 2016-01-29T22:03:04Z