Hi everybody.
I've been having this problem with a search in splunk for quite some time.
I have two queries that work fine when used separated, but for report purposes, I need to combine them so in the end I'm able to calculate a perpetual value.
The first query is:
index=A sourcetype=B queryType=C | convert ctime(_time) as date timeformat=%d/%m/%Y| stats count by date id | stats count as total by date
The second one is:
search index=A sourcetype=B queryType=C| convert ctime(_time) as date timeformat=%d/%m/%Y | stats count by date id | where count>5 | stats count as attents by date
The conjoined search is:
search index=A sourcetype=B queryType=C | convert ctime(_time) as date timeformat=%d/%m/%Y| stats count by date id | stats count as total by date | appendcols [search search index=A sourcetype=B queryType=C| convert ctime(_time) as date timeformat=%d/%m/%Y | stats count by date id | where count>5 | stats count as attents by date] | eval percent=((attents/total)*100)|eval percentt=round(percent_att,3)
Now here's the catch if I run this combined query for only one day, it returns the correct result for all fields but if I extend the time span, lets say three or four days, the second field in this case being attends returns fewer and fewer results.
If I invert the order of the search and use attends as a search and total as the subsearch the same happens, for a broader time span, and total returns fewer and fewer results.
In the full query appendcols but I tried to use append , appendpipe and join and nothing worked.
I should mention that the index source type and query type are the same for both the search and the subsearch. I'm sorry but I can't disclose more information about the problem because of confidentiality matters.
Thank you for your time
... View more