Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multiple searches for stats

kishan2356
Explorer
‎01-05-2022 08:07 AM

I have two searches where I need to run an stats count on to do some calculations. First search  is

index=xxx wf_id=xxx wf_env=xxx xxx | stats count

 

Second search is 

index=xxx wf_id=xxx wf_env=xxx    sourcetype=xxx usecase=xxx  | stats count by request_id

 

First search uses a simple stats to get its count, but the second search uses stats count by request_id so I am having trouble getting the counts for both. Ideally I would like to get the counts for both searches and divide them. I've used appendcols but it returns empty fields for both searches. Any guidance on how to get counts for these searches would be helpful! 

 

Working example:

_time

Search 1 counts

Search 2 counts

Search 1/ Search 2

00:30

50

25

2

00:35

100

25

4

 

 

Labels (5)
Labels
0 Karma
Reply

kishan2356
Explorer
‎01-05-2022 08:56 AM

This returns an empty field 

kishan2356_0-1641401790685.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2022 09:05 AM

Hi @kishan2356,

in my test I have two rows: one with empty field and one with the valued fiel, you could filter for the fields with the value:

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| stats count by request_id
| appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count | rename count AS total ]
| search total=*
| eval perc=count/total

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2022 08:39 AM

Hi @kishan2356,

did you tried appendpipe?

something like this:

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| stats count by request_id
| appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count  rename count AS total ]
| eval perc=count/total

Ciao.

Giuseppe

0 Karma
Reply

kishan2356
Explorer
‎01-10-2022 08:56 AM

Thank you for the reply Giuseppe,

Hi am still getting black fields when using appendpipe.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2022 09:27 AM

Hi @kishan2356,

please try this:

 

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| bin _time span=5m
| stats count by _bin request_id
| append [ search 
   index=xxx wf_id=xxx wf_env=xxx xxx 
   | bin _time span=5m 
   | stats count BY _time 
   | rename count AS total 
   ]
| stats sum(count) AS count values(total) AS total BY _time
| eval perc=count/total

 

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...