Solved: Combine the two queries and calculate count

zork67 · ‎09-21-2017

Hello experts.

I tried to execute the query, as described here https://answers.splunk.com/answers/106906/how-to-perform-math-on-single-values.html

In my case, too, there are two requests.

1st search:

index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id" | dedup CID 
 | stats count as part

2nd search:

index=ns SUBMIT_SM  REQUEST host="notif*" | stats count as uniq

I tried to combine these requests into one to calculate the ratio

  | multisearch
       [ search index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id" | dedup CID 
         | eval marker="s" ]
       [ search index=ns SUBMIT_SM  REQUEST host="notif*" 
         | eval marker="o" ]
     | stats count(eval(marker=="s")) as part
             count(eval(marker=="o")) as uniq
     | eval velocity=(part/uniq)*100)

I receive an error:

Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)
The search job has failed due to an error. You may be able to see the job in the Job Inspector.

I tried it differently

index=ns SUBMIT_SM  REQUEST host="notif*" 
 | stats count as part 
 | append [ search index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id" | dedup CID | stats count as uniq] | eval velocity=part/uniq

But velocity was not calculated

Help

zork67 · ‎09-22-2017

I decided this way:

index=ns SUBMIT_SM  REQUEST host="notif*" 
| stats count as part 
| appendcols [search index=ns SUBMIT_SM  REQUEST host="notif*" 
| rex field=_raw "CID\:(?<CID>.*)\ actor-id" 
| dedup CID
| stats count(CID) as uniq ]
| eval ratio=part/uniq
| fields ratio

Thanks to all

View solution in original post

zork67 · ‎09-22-2017

I decided this way:

index=ns SUBMIT_SM  REQUEST host="notif*" 
| stats count as part 
| appendcols [search index=ns SUBMIT_SM  REQUEST host="notif*" 
| rex field=_raw "CID\:(?<CID>.*)\ actor-id" 
| dedup CID
| stats count(CID) as uniq ]
| eval ratio=part/uniq
| fields ratio

Thanks to all

richgalloway · ‎09-22-2017

@zork67 If your problem is resolved, please accept an answer (it's OK to accept your own answer) to help future readers.

---
If this reply helps you, Karma would be appreciated.

lfedak_splunk · ‎09-21-2017

Hey @zork67, if @somesoni2 solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

somesoni2 · ‎09-21-2017

I would do like this (as both have same base search)

index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id"
| stats dc(CID) as part count as uniq
| eval velocity=(part/uniq)*100

zork67 · ‎09-22-2017

Thanks, but still an error

Error in 'eval' command: The expression is malformed.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

somesoni2 · ‎09-22-2017

There is an additional braces in the eval, removed. (search was copied from question so didn't see that)

Combine the two queries and calculate count

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...