Splunk Search

How to avoid the overuse of appendcols?

Hi Splunkers!

Just wondering whether anyone can advise me on how to tune the following search statement?
The reason why I use appendcols is I need to get results from multiple fields with multiple conditions.

index="teste" "System error(10054)" | eval system_error = host + " - System error(10054)" | timechart span=1min count by system_error 
| appendcols [search index="raw_l1" "Warning: DB Operation took" | eval DB_Operation_took = host + " - DB Operation took" | timechart span=1min count by DB_Operation_took]
| appendcols [search index="raw_l1" "Invalid password" | eval invalid_password = host + " - Invalid password" | timechart span=1min count by invalid_password]
| appendcols [search index="raw_l1" "is already logged" | eval is_already_logged = host + " - is already logged" | timechart span=1min count by is_already_logged]

I have solved this problem using 4 appendcols…
But that made the source code large and ugly…
Is there any way I can optimize the size of the search above?

Thanks.

0 Karma

SplunkTrust
SplunkTrust

Not sure if this would work as expected or not but give it a try:

index="teste" "System error(10054)" 
| eval system_error = host + " - System error(10054)" 
| timechart span=1min count by system_error 
| appendcols 
    [ search index="raw_l1" "Warning: DB Operation took" OR "Invalid password" OR "is already logged" 
    | eval field = case(like(_raw,"%Warning: DB Operation took%"),host + " - DB Operation took",like(_raw,"%Invalid password%"), host + " - Invalid password",like(_raw,"%is already logged%"),host + " - is already logged") 
    | timechart span=1min count by field]
0 Karma

Thanks for your reply, however they brought me some unexpected results from "Other"

Is there any way not to use this appendcols?

I just need to bring a count of these values. These are string fields containing application errors.

Ex:
System error (10054) 2
Invalid password 2
Warning: DB Operation took 2

0 Karma

SplunkTrust
SplunkTrust

try this:

(index="teste" "System error(10054)") OR (index="raw_l1" "Warning: DB Operation took" OR "Invalid password" OR "is already logged") 
| eval field = case(index="teste" AND like(_raw,"%System error(10054)%"),"system_error",index="raw_l1" AND like(_raw,"%Warning: DB Operation took%"),"DB_Operation_took",index="raw_l1" AND like(_raw,"%Invalid password%"),"invalid_password",index="raw_l1" AND like(_raw,"%is already logged%"),"is_already_logged") 
| timechart span=1min count by field
0 Karma