Splunk Search

Combine the two queries and calculate count

zork67
Explorer

Hello experts.

I tried to execute the query, as described here https://answers.splunk.com/answers/106906/how-to-perform-math-on-single-values.html

In my case, too, there are two requests.

1st search:

index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id" | dedup CID 
 | stats count as part 

2nd search:

index=ns SUBMIT_SM  REQUEST host="notif*" | stats count as uniq

I tried to combine these requests into one to calculate the ratio

  | multisearch
       [ search index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id" | dedup CID 
         | eval marker="s" ]
       [ search index=ns SUBMIT_SM  REQUEST host="notif*" 
         | eval marker="o" ]
     | stats count(eval(marker=="s")) as part
             count(eval(marker=="o")) as uniq
     | eval velocity=(part/uniq)*100)

I receive an error:

Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)
The search job has failed due to an error. You may be able to see the job in the Job Inspector.

I tried it differently

index=ns SUBMIT_SM  REQUEST host="notif*" 
 | stats count as part 
 | append [ search index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id" | dedup CID | stats count as uniq] | eval velocity=part/uniq

But velocity was not calculated

Help

Tags (1)
0 Karma
1 Solution

zork67
Explorer

I decided this way:

index=ns SUBMIT_SM  REQUEST host="notif*" 
| stats count as part 
| appendcols [search index=ns SUBMIT_SM  REQUEST host="notif*" 
| rex field=_raw "CID\:(?<CID>.*)\ actor-id" 
| dedup CID
| stats count(CID) as uniq ]
| eval ratio=part/uniq
| fields ratio

Thanks to all

View solution in original post

zork67
Explorer

I decided this way:

index=ns SUBMIT_SM  REQUEST host="notif*" 
| stats count as part 
| appendcols [search index=ns SUBMIT_SM  REQUEST host="notif*" 
| rex field=_raw "CID\:(?<CID>.*)\ actor-id" 
| dedup CID
| stats count(CID) as uniq ]
| eval ratio=part/uniq
| fields ratio

Thanks to all

richgalloway
SplunkTrust
SplunkTrust

@zork67 If your problem is resolved, please accept an answer (it's OK to accept your own answer) to help future readers.

---
If this reply helps you, Karma would be appreciated.

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @zork67, if @somesoni2 solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would do like this (as both have same base search)

index=ns SUBMIT_SM  REQUEST host="notif*" | rex field=_raw "CID\:(?<CID>.*)\ actor-id"
| stats dc(CID) as part count as uniq
| eval velocity=(part/uniq)*100
0 Karma

zork67
Explorer

Thanks, but still an error

Error in 'eval' command: The expression is malformed.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There is an additional braces in the eval, removed. (search was copied from question so didn't see that)

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...