Splunk count 2 different fields with two different group by without displaying them

Question

I select orderids for a model in a subsearch and than select the most common materials for each orderid, so I get a list of every Material and the time it was a part of an order. I want to display the most common materials in percentage of all orders. So I need this amount how often every material was found and then divide that by total amount of orders.

sourcetype=file1 [subsearch... ->returns Orders] | 

here I need to select the total amount of orders like:

stats dc(Orders) as totalamount by Orders|
stats dc(Orders) as anz by Material|
eval percentage= anz/totalamount|
sort by percentage desc

How can I perform the total amount of search?

Answer 1

I assume from your base search you will get the Orders and Material anyway, You need to use eventstats for taking the total count . Below code should work

index=foo sourcetype=file1 [subsearch... ->returns Orders]
| stats count(Orders) as order_material_count by Material 
| eventstats sum(order_material_count ) as totalCount
| eval percentage=(order_material_count*100)/totalamount  
| fields Mateira, order_material_count , percentage
| sort - percentage

Answer 2

Try the streamstats command.

index=foo sourcetype=file1 [subsearch... ->returns Orders]
| streamstats count(Orders) as totalamount 
| stats count(Orders) as anz by Material 
| eval percentage=(anz*100)/totalamount 
| sort - percentage