Error with subsearch

DonDandrea · ‎04-22-2014

I am new to creating subsearches and have completed a few of them successfully. This latest example is causing me a bit of greif.

I am trying to
1. do a stats count to provide error count in one search
2. sum a value to create a transaction count from a different data source
3. display the results in a table or chart like below

transactions 10000
errors 100

Here is my search
index=dspro sourcetype=telemetry | chart sum(TotalTransactions) as transaction_count [search index=dspro sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph) | stats count as error_count] | chart, transaction_count, error_count

Here is the error it generates
Error in 'chart' command: The argument '( ( error_count=25045 ) )' is invalid.

Eventually I will want to create a third line in the chart that provides the percentage of errors.

Please help

Thank you
Don

DonDandrea · ‎04-23-2014

Now we're talking. Thank you very much. You guys are awesome.

DonDandrea · ‎04-22-2014

That definately is a step closer. The only problem is that is doing a stats count to determine a value for transaction count. Transaction count needs to be determined by adding together all the values for the field TotalTransactions from the telemetry data.

somesoni2 · ‎04-22-2014

Try this

index=dspro (sourcetype=telemetry) OR (sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph)) | stats sum(TotalTransactions) as transaction_count count(eval(sourcetype="bootlogmaster")) as error_count

somesoni2 · ‎04-22-2014

Nice catch 🙂 , updated answer to correct this.

martin_mueller · ‎04-22-2014

I think you should replace count(eval(sourcetype="telemetry")) with sum(TotalTransactions).

Error with subsearch

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!