I want to display a table in my dashboard with 3 columns called Search_Text, Count, Count_Percentage
How do I formulate the Splunk query so that I can display 2 search query and their result count and percentage in Table format.
Example,
Heading Count Count_Percentage
SearchText1 4 40
SearchText2 6 60
The below query will create a column named SearchText1 which is not what I want:
index=something "SearchText1" | stats count AS SearchText1
Put each query after the first in an append and set the Heading field as desired. Then use the stats command to count the results and group them by Heading. Finally, get the total and compute percentages.
index=foo "SearchText1" | eval Heading="SearchText1"
| append [ | search index=bar "SearchText2" | eval Heading="SearchText2" ]
| stats count as Count by Heading
| eventstats sum(Count) as Total
| eval Count_Percentage=(Count*100/Total)
| table Heading Count Count_Percentage
Showing the absence of search results is a little tricky and changes the above query a bit. Each search will need its own stats command and an appendpipe command to detect the lack of results and create some. Try this:
index=main "SearchText1"
| eval Heading="SearchText1"
| stats count as Count by Heading
| appendpipe
[ stats count
| eval Heading="SearchText1", Count=0
| where count=0
| fields - count]
| append
[| search index=main "SearchText2"
| eval Heading="SearchText2"
| stats count as Count by Heading
| appendpipe
[ stats count
| eval Heading="SearchText2", Count=0
| where count=0
| fields - count] ]
| eventstats sum(Count) as Total
| eval Count_Percentage=(Count*100/Total)
| table Heading Count Count_Percentage