Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Two queries in one - SearchParser Subsearch error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi apologies but i'm not very verse in splunk. i'm trying to run two separate queries in one search but i get the following error.
index=logs source="*svc1*" "transaction attempt" | stats count as totalCount |
appendcols | [search index=logs source="*svc1*" "transaction error" |
stats count as errorCount] eval (errorPercentage = totalCount - errorCount \ totalCount)
Error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '205' of search query 'search index=nonprod_applogs source="*svc1-...{snipped} {errorcontext = endcols | [search ind}'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jaj try the following.
index=logs source="*svc1*" "transaction attempt"
| stats count as totalCount
| appendcols
[ search index=logs source="*svc1*" "transaction error"
| stats count as errorCount]
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
However, in order to avoid subsearch limitations you could have tried the following search instead:
index=logs source="*svc1*" "transaction attempt" OR "transaction error"
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jaj try the following.
index=logs source="*svc1*" "transaction attempt"
| stats count as totalCount
| appendcols
[ search index=logs source="*svc1*" "transaction error"
| stats count as errorCount]
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
However, in order to avoid subsearch limitations you could have tried the following search instead:
index=logs source="*svc1*" "transaction attempt" OR "transaction error"
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @niketnilay however, i still get the same error with your first answer. also there is more than likely a good chance the second search will look at logs from another source (not sv1 but svc2) so i need to try to figure out first solution before consolidating logs. thx
Error from number one solution:
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '211' of search query 'search index=logs source="*svc1...{snipped} {errorcontext = ls | [ search in}'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay the second one did work beautifully. however, still trying to figure out how to make 1 work because of two different log locations for each type of match (attempts vs errors). any info is super appreciated thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On lines with your query try the following run anywhere example based on _internal index and sourcetype splunkd, which works fine for me:
index=_internal sourcetype="splunkd" "INFO"
| stats count as totalCount
| appendcols
[ search index=_internal sourcetype="splunkd" "ERROR"
| stats count as errorCount]
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
Also, based on the query provided in your question, your main search index=logs source="*svc1*" is the same for both "transaction attempt" and "transaction error" queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay worked beautifully! thanks so much
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
