How do I pass a single value query output to a fie... - Splunk Community

Splunk Search

I have a requirement to print the source count from how many hosts we are collecting.

Expected output: source_count/host_count

index=main | eval host_count=[ search index=main sourcetype=log1 | dedup host | stats dc(host) as Host_Count | return $Host_Count | eval source_count=[ search index=main sourcetype=log1 | dedup source | stats dc(source) as Source_Count | return Source_Count] | eval count=source_count + "/" + host_count

index=main sourcetype=log1 
| stats dc(host) as Host_Count dc(source) as Source_Count 
| eval count=Source_Count + "/" + Host_Count 
| fields count

Hi @kmaron
I have two different query to fetch the data. I cann't get both count in same stats.

sorry. they look the same in your example.

Try this instead then

(first base search)
| stats dc(host) as Host_Count 
| append 
    [ search (second base search)
    | stats dc(source) as Source_Count 
    | fields Source_Count] 
| stats values(Host_Count) as Host_Count values(Source_Count) as Source_Count 
| eval count=Source_Count + "/" + Host_Count 
| fields count

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...