Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple searches for stats

kishan2356
Explorer
‎01-05-2022 08:07 AM

I have two searches where I need to run an stats count on to do some calculations. First search  is

index=xxx wf_id=xxx wf_env=xxx xxx | stats count

 

Second search is 

index=xxx wf_id=xxx wf_env=xxx    sourcetype=xxx usecase=xxx  | stats count by request_id

 

First search uses a simple stats to get its count, but the second search uses stats count by request_id so I am having trouble getting the counts for both. Ideally I would like to get the counts for both searches and divide them. I've used appendcols but it returns empty fields for both searches. Any guidance on how to get counts for these searches would be helpful! 

 

Working example:

_time

Search 1 counts

Search 2 counts

Search 1/ Search 2

00:30

50

25

2

00:35

100

25

4

 

 

Labels (5)
Labels
0 Karma
Reply

kishan2356
Explorer
‎01-05-2022 08:56 AM

This returns an empty field 

kishan2356_0-1641401790685.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2022 09:05 AM

Hi @kishan2356,

in my test I have two rows: one with empty field and one with the valued fiel, you could filter for the fields with the value:

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| stats count by request_id
| appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count | rename count AS total ]
| search total=*
| eval perc=count/total

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2022 08:39 AM

Hi @kishan2356,

did you tried appendpipe?

something like this:

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| stats count by request_id
| appendpipe [ search index=xxx wf_id=xxx wf_env=xxx xxx | stats count  rename count AS total ]
| eval perc=count/total

Ciao.

Giuseppe

0 Karma
Reply

kishan2356
Explorer
‎01-10-2022 08:56 AM

Thank you for the reply Giuseppe,

Hi am still getting black fields when using appendpipe.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2022 09:27 AM

Hi @kishan2356,

please try this:

 

index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx
| bin _time span=5m
| stats count by _bin request_id
| append [ search 
   index=xxx wf_id=xxx wf_env=xxx xxx 
   | bin _time span=5m 
   | stats count BY _time 
   | rename count AS total 
   ]
| stats sum(count) AS count values(total) AS total BY _time
| eval perc=count/total

 

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...