Splunk Search

Splunk Subquery

haiderzada
New Member
Basically, I have a problem in which I want to run two queries the first query will return me the total number of requests and the second query will return requests that fail so that i can calculate the percentage but I am unable to do this with a subquery.
 
Currently, I am using this query
 
"Carrier Failure: provider_name=*" 
| dedup application_id | stats count AS total_carrier_errors
| append
[search host="prod-celery-gateway-0*" sourcetype="supervisor"
"driver dispatch_request: Sending request to" NOT failed
| stats count AS total_requests]
| table total_carrier_errors total_requests
| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)

Can anyone guide me with this?

Thank You!

Labels (2)
0 Karma

kennetkline
Path Finder

Is there a specifics source type the the first one can be referenced against?

I find the following approach to work best:  I write two independent searches  to bring the datasets we want.

Write a search to do an OR statement   ((Search1 ) OR (Search2 )) pipe to stats  I have done counts against matches on sourcetype.  In your example I don't know if the first search as an exact sourcetype.  I did example stating "firstsourcetype" as a variable to replace twice in the search with the actual sourcetype to be used:

The following search is intended to search both searches and then | stats (count matches by sourcetype or no by clause as necessary based on objective, then do the eval then table

( sourcetype="firstsourcetype" "Carrier Failure: provider_name=*" ) OR
( sourcetype="supervisor" host="prod-celery-gateway-0*" "driver dispatch_request: Sending request to" NOT failed )
| stats count(eval(LIKE(sourcetype,"firstsourcetype"))) as total_carrier_errors, count(eval(LIKE(sourcetype,"supervisor"))) as total_requests
| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)
| table total_carrier_errors total_requests

0 Karma

isoutamo
SplunkTrust
SplunkTrust
0 Karma

haiderzada
New Member

No this will not help me. Actually, my problem is different from this one I want to run two separate queries one will return me the total number of requests and the second query will return me the number of the failed requests and then I want to calculate the percentage based on these two returned values.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...