Splunk Search

Two queries in one - SearchParser Subsearch error

jaj
Path Finder

hi apologies but i'm not very verse in splunk. i'm trying to run two separate queries in one search but i get the following error.

index=logs source="*svc1*" "transaction attempt" | stats count as totalCount | 
appendcols | [search index=logs source="*svc1*" "transaction error" | 
stats count as errorCount] eval (errorPercentage = totalCount - errorCount \ totalCount)

Error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '205' of search query 'search index=nonprod_applogs source="*svc1-...{snipped} {errorcontext = endcols | [search ind}'.

Tags (1)
0 Karma
1 Solution

niketn
Legend

@jaj try the following.

index=logs source="*svc1*" "transaction attempt" 
| stats count as totalCount 
| appendcols 
    [ search index=logs source="*svc1*" "transaction error" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

However, in order to avoid subsearch limitations you could have tried the following search instead:

index=logs source="*svc1*" "transaction attempt" OR "transaction error" 
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@jaj try the following.

index=logs source="*svc1*" "transaction attempt" 
| stats count as totalCount 
| appendcols 
    [ search index=logs source="*svc1*" "transaction error" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

However, in order to avoid subsearch limitations you could have tried the following search instead:

index=logs source="*svc1*" "transaction attempt" OR "transaction error" 
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jaj
Path Finder

Thanks @niketnilay however, i still get the same error with your first answer. also there is more than likely a good chance the second search will look at logs from another source (not sv1 but svc2) so i need to try to figure out first solution before consolidating logs. thx

Error from number one solution:
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '211' of search query 'search index=logs source="*svc1...{snipped} {errorcontext = ls | [ search in}'.

0 Karma

jaj
Path Finder

@niketnilay the second one did work beautifully. however, still trying to figure out how to make 1 work because of two different log locations for each type of match (attempts vs errors). any info is super appreciated thanks

0 Karma

niketn
Legend

On lines with your query try the following run anywhere example based on _internal index and sourcetype splunkd, which works fine for me:

index=_internal sourcetype="splunkd" "INFO" 
| stats count as totalCount 
| appendcols 
    [ search index=_internal sourcetype="splunkd" "ERROR" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

Also, based on the query provided in your question, your main search index=logs source="*svc1*" is the same for both "transaction attempt" and "transaction error" queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jaj
Path Finder

@niketnilay worked beautifully! thanks so much

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...