Splunk Search

multisearch

zakura
Explorer

Hi , I have 2 queries :

index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount

and 

index="bar_*" sourcetype =foo crm="ser" jet="fas"
| dedup uid
| stats count as TotalFalseCount

I need both of these queries merged and then take "TotalCount" and "TotalFalseCount" and get value from these as : ActualPercent= (TotalFalseCount/TotalCount)*100.

I created one query as below:

index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount by zerocode SubType
| appendcols
                [searchindex="bar_*" sourcetype =foo crm="ser" jet="fas"
                     | dedup uid
                          | stats count as TotalFalseCount by zerocode SubType]
 | eval Percent=(TotalFalseCount/TotalCount)*100
   | stats count by zerocode SubType Percent

 

but the value of "Percent" is completely wrong, can anybody help to know how can I get proper value of "Percent" in above case ?

Labels (1)
0 Karma
1 Solution

zakura
Explorer

With Minor modification it exactly helped to do what I was looking for :

 

index="bar_*" sourcetype =foo crm="ser"

| dedup uid

| stats count as TotalCount by zerocode SubType

| append

  [search index="bar_*" sourcetype =foo crm="ser" jet="fas"

  | dedup uid

  | stats count as TotalFalseCount by zerocode SubType]

| stats values as * by zerocode SubType

| eval Percent=(TotalFalseCount/TotalCount)*100

| eval Percentage = round('Percent',2)

| xyseries SubType zerocode Percentage

| fillnull value="NA"

View solution in original post

0 Karma

zakura
Explorer

@richgalloway  -- You are awesome ! Thanks a lot !

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One problem with the appendcols command is it depends on the order of results being identical in both queries, which is not likely.

Use the append command instead then combine the two set of results using stats.

index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount by zerocode SubType
| append
  [search index="bar_*" sourcetype =foo crm="ser" jet="fas"
  | dedup uid
  | stats count as TotalFalseCount by zerocode SubType]
| stats values(*) as * by zerocode SubType
| fillnull value=0 TotalFalseCount
| eval Percent=(TotalFalseCount/TotalCount)*100
| stats count by zerocode SubType Percent

 

---
If this reply helps you, Karma would be appreciated.

zakura
Explorer

With Minor modification it exactly helped to do what I was looking for :

 

index="bar_*" sourcetype =foo crm="ser"

| dedup uid

| stats count as TotalCount by zerocode SubType

| append

  [search index="bar_*" sourcetype =foo crm="ser" jet="fas"

  | dedup uid

  | stats count as TotalFalseCount by zerocode SubType]

| stats values as * by zerocode SubType

| eval Percent=(TotalFalseCount/TotalCount)*100

| eval Percentage = round('Percent',2)

| xyseries SubType zerocode Percentage

| fillnull value="NA"

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...