show results from two splunk queries into one

Solution 1

You can join the two queries by using :

|

So your query can look like this:

{firstQuery} as countUS| {secondQuery} as countTotal | eval perc=countUS/countTotal

Solution 2

You can use a conditional to count those from US

Example query:

index=data | timechart dc(user) as dc_user, dc(eval(if(geo=US,user,NULL))) as us_user | eval perc_us=round(us_user/dc_user*100,2) | table _time, perc_us

Alternatively you can use the SPL join command but that would be less efficient as it would have to read the data twice and join the results.

Related videos on Youtube

05 : 20

Basic Searching in Splunk

Splunk How-To

228

11 : 49

"Splunk Enterprise 6 Basic Search"

Splunk

203

16 : 24

Splunk - Alert Action - Upload Search Results to AWS S3

Splunk Talks

142

09 : 04

Splunk 101: Basic Search

Kinney Group

17

24 : 13

Splunk Commands : "join" vs "map" vs "selfjoin" command detail explanation

Splunk & Machine Learning

17

26 : 39

Splunk Commands | Splunk stats | Splunk eventstats

Splunk Talks

6

08 : 02

Splunk Joins - Splunk Left Join - Splunk Inner Join - Splunk Outer Join

Vikas Jha

2

02 : 27

How to Filter splunk results using results of another splunk query | splunk scenarios tutorial

DWBIADDA VIDEOS

1

02 : 26

How to append two queries and get single output in splunk | splunk scenarios tutorial

DWBIADDA VIDEOS

1

Author by

A-D

Front end engineer working in the enterprise world and solving their problems. Everyday is a new day and I am learning new things. Building apps using Angularjs, ReactJS, HTML, Javascript and CSS.

Updated on September 16, 2022