Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Subquery

haiderzada
New Member
‎10-14-2020 01:55 PM
Basically, I have a problem in which I want to run two queries the first query will return me the total number of requests and the second query will return requests that fail so that i can calculate the percentage but I am unable to do this with a subquery.
 
Currently, I am using this query
 
"Carrier Failure: provider_name=*" 
| dedup application_id | stats count AS total_carrier_errors 
| append 
[search host="prod-celery-gateway-0*" sourcetype="supervisor" 
"driver dispatch_request: Sending request to" NOT failed 
| stats count AS total_requests] 
| table total_carrier_errors total_requests 
| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)

Can anyone guide me with this?

Thank You!

Labels (2)
Labels
0 Karma
Reply

kennetkline
Path Finder
‎10-21-2020 03:25 PM

Is there a specifics source type the the first one can be referenced against?

I find the following approach to work best:  I write two independent searches  to bring the datasets we want.

Write a search to do an OR statement   ((Search1 ) OR (Search2 )) pipe to stats  I have done counts against matches on sourcetype.  In your example I don't know if the first search as an exact sourcetype.  I did example stating "firstsourcetype" as a variable to replace twice in the search with the actual sourcetype to be used:

The following search is intended to search both searches and then | stats (count matches by sourcetype or no by clause as necessary based on objective, then do the eval then table

( sourcetype="firstsourcetype" "Carrier Failure: provider_name=*" ) OR
( sourcetype="supervisor" host="prod-celery-gateway-0*" "driver dispatch_request: Sending request to" NOT failed )
| stats count(eval(LIKE(sourcetype,"firstsourcetype"))) as total_carrier_errors, count(eval(LIKE(sourcetype,"supervisor"))) as total_requests
| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)
| table total_carrier_errors total_requests

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-14-2020 02:00 PM
Could this helps you https://community.splunk.com/t5/Splunk-Search/Finding-a-percentage-for-every-value-in-another-field/... ?
0 Karma
Reply

haiderzada
New Member
‎10-14-2020 02:13 PM

No this will not help me. Actually, my problem is different from this one I want to run two separate queries one will return me the total number of requests and the second query will return me the number of the failed requests and then I want to calculate the percentage based on these two returned values.

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...