Splunk Search

Two queries in one - SearchParser Subsearch error

Path Finder

hi apologies but i'm not very verse in splunk. i'm trying to run two separate queries in one search but i get the following error.

index=logs source="*svc1*" "transaction attempt" | stats count as totalCount | 
appendcols | [search index=logs source="*svc1*" "transaction error" | 
stats count as errorCount] eval (errorPercentage = totalCount - errorCount \ totalCount)

Error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '205' of search query 'search index=nonprod_applogs source="*svc1-...{snipped} {errorcontext = endcols | [search ind}'.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@jaj try the following.

index=logs source="*svc1*" "transaction attempt" 
| stats count as totalCount 
| appendcols 
    [ search index=logs source="*svc1*" "transaction error" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

However, in order to avoid subsearch limitations you could have tried the following search instead:

index=logs source="*svc1*" "transaction attempt" OR "transaction error" 
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@jaj try the following.

index=logs source="*svc1*" "transaction attempt" 
| stats count as totalCount 
| appendcols 
    [ search index=logs source="*svc1*" "transaction error" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

However, in order to avoid subsearch limitations you could have tried the following search instead:

index=logs source="*svc1*" "transaction attempt" OR "transaction error" 
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Path Finder

Thanks @niketnilay however, i still get the same error with your first answer. also there is more than likely a good chance the second search will look at logs from another source (not sv1 but svc2) so i need to try to figure out first solution before consolidating logs. thx

Error from number one solution:
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '211' of search query 'search index=logs source="*svc1...{snipped} {errorcontext = ls | [ search in}'.

0 Karma

Path Finder

@niketnilay the second one did work beautifully. however, still trying to figure out how to make 1 work because of two different log locations for each type of match (attempts vs errors). any info is super appreciated thanks

0 Karma

SplunkTrust
SplunkTrust

On lines with your query try the following run anywhere example based on _internal index and sourcetype splunkd, which works fine for me:

index=_internal sourcetype="splunkd" "INFO" 
| stats count as totalCount 
| appendcols 
    [ search index=_internal sourcetype="splunkd" "ERROR" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

Also, based on the query provided in your question, your main search index=logs source="*svc1*" is the same for both "transaction attempt" and "transaction error" queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

@niketnilay worked beautifully! thanks so much

0 Karma