All Apps and Add-ons

How to calculate 2 different search results from one source



we want to calculate some Requesttimes vs. Requestnumbers.

What we do is

source=ourdata.log | timechart span=1h sum(duration) as impact count(ws-method) by domain

Now we want to search in the same log for

source=ourdata.log | stats (count) ws-method="thespecialmessage"

With the results from the second search, we want to divide the results from the first query. how can we do that?
This seems to be a multidimensional search...

0 Karma


Hi tpaulson,

Have you thought about using subsearches?

Check the doco:

0 Karma

Splunk Employee
Splunk Employee


I do not understand your second search.

do you mean : source=ourdata.log ws-method="thespecialmessage" | stats count
source=ourdata.log ws-method="thespecialmessage" | stats count(eval(ws-method=="thespecialmessage") ?

As Turk mentioned, the subsearch is your friend here.

0 Karma