##1

(search_type!="*acceleration" index=_internal sourcetype=scheduler status="skipped" (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| eval alert_actions=if((isnull(alert_actions) OR (alert_actions == "")),"none",alert_actions), reason=if((isnull(reason) OR (reason == "")),"none",reason) 
| stats count AS count values(alert_actions) AS alert_actions by savedsearch_name, reason 
| eval reason_and_count=(((reason . " (") . count) . ")") 
| stats values(reason_and_count) AS reasons first(alert_actions) AS alert_actions sum(count) as total_skips by savedsearch_name 
| sort - total_skips 
| rename reasons as "Skip Reason (Skip Count)", alert_actions as "Alert Actions", savedsearch_name as "Report Name", total_skips as "Total Skips"

##2

(index=_internal sourcetype=scheduler (host=sh*.*splunk*.* OR host=si*.*splunk*.*) (log_level="ERROR" OR log_level="WARN*")) 
| cluster t=0.7 field=message showcount=t countfield=count 
| table message, count, punct 
| sort - count 
| eventstats sum(count) AS total 
| eval percent=(round(((count / total) * 100),2) . " %") 
| fields - total, punct 
| rename message as Message, count as Count, percent as "Percent of Total"


##3 Skipp ratio
(search_type!="*acceleration" index=_internal sourcetype=scheduler (host=sh*.*splunk*.* OR host=si*.*splunk*.*) (status="completed" OR status="deferred" OR status="skipped")) 
| stats count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec 
| eval skip_ratio=round(((skipped_exec / total_exec) * 100),2) 
| fields + skip_ratio

###4 Total skipped searches
(search_type!="*acceleration" index=_internal sourcetype=scheduler status="skipped" (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| eval reason=if((isnull(reason) OR (reason == "")),"none",reason) 
| stats count by reason 
| stats sum(count) as total