Splunk how to display multiple stats queries in table?

Question

I am new to Splunk and don't quite manage to formulate a Splunk query in order to get the exact results I want:

I have server logs that are something like this: clientIP instanceID serviceType error

I have three queries that I would like to display together:

A gives me all instanceIDs that are unused beyond being created and destroyed

| stats count(eval(error="")) as Total_Successful_Calls
count(eval(serviceType ="X")) as numcallsXService
by clientIP instanceID 
| where numcallsXService=2 and Total_Successful_Calls=2

B gives me all instanceIDs that are actually used

| stats count(eval(error="")) as Total_Successful_Calls
count(eval(serviceType ="X")) as numcallsXService
by clientIP instanceID 
| where numcallsXService=2 and Total_Successful_Calls>2

C actually gives me the complete count of instances for checking if the results are valid

| stats dc(instanceID) by clientIP

Now I would like to display these likes so:

clientIP numberAllInstances numberUsedInstances numberUnusedInstances

I fail at counting the results of A and B - how is this done in Splunk?

Then I would also like to put where conditions like in A and B into C - here I think it may not be possible with dc and I may instead have to use the query structures of A and B.

Finally, I have no clue how to put these queries together - do I put A, B and C after another like this: A|B|C ?

Answer 1

You could try using append followed by a grouping stats and eventstats:

<first SPL>
| append
    [| search <second SPL> ]
| stats values(*) as * by clientIP instanceID
| eventstats dc(instanceID) as instances by clientIP

###EDIT

If you have some more representative sample data, we may be able to help you simplify your search better, too