https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274324#M82750 <P>Hi ,</P> <P>Can any one help with fine tuning this search? It's taking a long time to load.</P> <PRE><CODE>index=me sourcetype=access_apache | stats avg(responsemili) as "Avg Response" |eval "Avg Response"=round('Avg Response',2) | appendcols maxtime=600 [ search index=me sourcetype=access_apache NOT clientip = 172.* NOT clientip = 10.* | stats avg(responsemili) as "Avg Response(Internet)" | eval "Avg Response(Internet)"=round('Avg Response(Internet)',2)] | appendcols maxtime=600 [ search index=me sourcetype=access_apache clientip = 172.* OR clientip = 10.* | stats avg(responsemili) as "Avg Response(Intranet)"|eval "Avg Response(Intranet)"=round('Avg Response(Intranet)',2)] </CODE></PRE> Tue, 08 Dec 2015 06:14:56 GMT vranjith009 2015-12-08T06:14:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274324#M82750 <P>Hi ,</P> <P>Can any one help with fine tuning this search? It's taking a long time to load.</P> <PRE><CODE>index=me sourcetype=access_apache | stats avg(responsemili) as "Avg Response" |eval "Avg Response"=round('Avg Response',2) | appendcols maxtime=600 [ search index=me sourcetype=access_apache NOT clientip = 172.* NOT clientip = 10.* | stats avg(responsemili) as "Avg Response(Internet)" | eval "Avg Response(Internet)"=round('Avg Response(Internet)',2)] | appendcols maxtime=600 [ search index=me sourcetype=access_apache clientip = 172.* OR clientip = 10.* | stats avg(responsemili) as "Avg Response(Intranet)"|eval "Avg Response(Intranet)"=round('Avg Response(Intranet)',2)] </CODE></PRE> Tue, 08 Dec 2015 06:14:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274324#M82750 vranjith009 2015-12-08T06:14:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274325#M82751 <P>I would use stats with eval instead of appendcols, something like below. You will have to adjust the conditions and syntax inside if or use match but the skeleton should be something similar</P> <PRE><CODE>index=me sourcetype=access_apache |stats avg(eval(if(clientip != 172. AND clientip != 10.),responsemili)) as Avg Response(Internet)", avg(eval(if(clientip = 172. OR clientip = 10.),responsemili)) as Avg Response(Intranet)", avg(responsemili) as "Avg Response" </CODE></PRE> <P>Reference : <A href="http://docs.splunk.com/Documentation/Splunk/6.1/Search/Usestatswithevalexpressionsandfunctions">http://docs.splunk.com/Documentation/Splunk/6.1/Search/Usestatswithevalexpressionsandfunctions</A></P> Tue, 08 Dec 2015 08:40:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274325#M82751 renjith_nair 2015-12-08T08:40:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274326#M82752 <P>let me know if it helps</P> Wed, 09 Dec 2015 04:01:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274326#M82752 renjith_nair 2015-12-09T04:01:18Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274327#M82753 <P>Its not renjith.</P> <P>I hope "stats avg(eval(if(clientip != 172. AND clientip != 10.),responsemili))" NOT function is not taking with eval</P> Fri, 11 Dec 2015 10:39:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274327#M82753 vranjith009 2015-12-11T10:39:34Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274328#M82754 <P>See if this works</P> <PRE><CODE> index=me sourcetype=access_apache | eval inter=if((clientip!=172. AND clientip != 10.), responsemili, "") | eval intra=if((clientip=172. AND clientip = 10.),responsemili, "") | stats avg(responsemili) as "Avg Response" avg(inter) as "Avg Response(Internet)", avg(intra) as "Avg Response(Intranet)" </CODE></PRE> Fri, 11 Dec 2015 12:58:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-performance-of-this-search-with-appendcols/m-p/274328#M82754 sundareshr 2015-12-11T12:58:59Z