hi apologies but i'm not very verse in splunk. i'm trying to run two separate queries in one search but i get the following error.
index=logs source="*svc1*" "transaction attempt" | stats count as totalCount |
appendcols | [search index=logs source="*svc1*" "transaction error" |
stats count as errorCount] eval (errorPercentage = totalCount - errorCount \ totalCount)
Error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '205' of search query 'search index=nonprod_applogs source="*svc1-...{snipped} {errorcontext = endcols | [search ind}'.
@jaj try the following.
index=logs source="*svc1*" "transaction attempt"
| stats count as totalCount
| appendcols
[ search index=logs source="*svc1*" "transaction error"
| stats count as errorCount]
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
However, in order to avoid subsearch limitations you could have tried the following search instead:
index=logs source="*svc1*" "transaction attempt" OR "transaction error"
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
@jaj try the following.
index=logs source="*svc1*" "transaction attempt"
| stats count as totalCount
| appendcols
[ search index=logs source="*svc1*" "transaction error"
| stats count as errorCount]
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
However, in order to avoid subsearch limitations you could have tried the following search instead:
index=logs source="*svc1*" "transaction attempt" OR "transaction error"
| stats count(eval(searchmatch("transaction attempt"))) as totalCount count(eval(searchmatch("transaction error"))) as errorCount
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
Thanks @niketnilay however, i still get the same error with your first answer. also there is more than likely a good chance the second search will look at logs from another source (not sv1 but svc2) so i need to try to figure out first solution before consolidating logs. thx
Error from number one solution:
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '211' of search query 'search index=logs source="*svc1...{snipped} {errorcontext = ls | [ search in}'.
@niketnilay the second one did work beautifully. however, still trying to figure out how to make 1 work because of two different log locations for each type of match (attempts vs errors). any info is super appreciated thanks
On lines with your query try the following run anywhere example based on _internal index and sourcetype splunkd
, which works fine for me:
index=_internal sourcetype="splunkd" "INFO"
| stats count as totalCount
| appendcols
[ search index=_internal sourcetype="splunkd" "ERROR"
| stats count as errorCount]
| eval errorPercentage = round(((totalCount-errorCount)/totalCount)*100,2)
Also, based on the query provided in your question, your main search index=logs source="*svc1*"
is the same for both "transaction attempt"
and "transaction error"
queries. So second search is actually better search based on performance. But please explain why it would not work? What are the different log locations?
@niketnilay worked beautifully! thanks so much