Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Two queries in one - SearchParser Subsearch error

jaj
Path Finder
‎01-15-2019 05:44 PM

hi apologies but i'm not very verse in splunk. i'm trying to run two separate queries in one search but i get the following error.

index=logs source="*svc1*" "transaction attempt" | stats count as totalCount | 
appendcols | [search index=logs source="*svc1*" "transaction error" | 
stats count as errorCount] eval (errorPercentage = totalCount - errorCount \ totalCount)

Error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '205' of search query 'search index=nonprod_applogs source="*svc1-...{snipped} {errorcontext = endcols | [search ind}'.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-15-2019 06:41 PM

@jaj try the following.

index=logs source="*svc1*" "transaction attempt" 
| stats count as totalCount 
| appendcols 
    [ search index=logs source="*svc1*" "transaction error" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

However, in order to avoid subsearch limitations you could have tried the following search instead:

index=logs source="*svc1*" "transaction attempt" OR "transaction error" 
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-15-2019 06:41 PM

@jaj try the following.

index=logs source="*svc1*" "transaction attempt" 
| stats count as totalCount 
| appendcols 
    [ search index=logs source="*svc1*" "transaction error" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

However, in order to avoid subsearch limitations you could have tried the following search instead:

index=logs source="*svc1*" "transaction attempt" OR "transaction error" 
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎01-16-2019 04:57 AM

Thanks @niketnilay however, i still get the same error with your first answer. also there is more than likely a good chance the second search will look at logs from another source (not sv1 but svc2) so i need to try to figure out first solution before consolidating logs. thx

Error from number one solution:
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '211' of search query 'search index=logs source="*svc1...{snipped} {errorcontext = ls | [ search in}'.

0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎01-16-2019 05:12 AM

@niketnilay the second one did work beautifully. however, still trying to figure out how to make 1 work because of two different log locations for each type of match (attempts vs errors). any info is super appreciated thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-16-2019 07:59 AM

On lines with your query try the following run anywhere example based on _internal index and sourcetype splunkd, which works fine for me:

index=_internal sourcetype="splunkd" "INFO" 
| stats count as totalCount 
| appendcols 
    [ search index=_internal sourcetype="splunkd" "ERROR" 
    | stats count as errorCount] 
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)

Also, based on the query provided in your question, your main search index=logs source="*svc1*" is the same for both "transaction attempt" and "transaction error" queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎01-16-2019 10:14 AM

@niketnilay worked beautifully! thanks so much

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...