Splunk Search

How to avoid the overuse of appendcols?

leandromatperei
Path Finder

Hi Splunkers!

Just wondering whether anyone can advise me on how to tune the following search statement?
The reason why I use appendcols is I need to get results from multiple fields with multiple conditions.

index="teste" "System error(10054)" | eval system_error = host + " - System error(10054)" | timechart span=1min count by system_error 
| appendcols [search index="raw_l1" "Warning: DB Operation took" | eval DB_Operation_took = host + " - DB Operation took" | timechart span=1min count by DB_Operation_took]
| appendcols [search index="raw_l1" "Invalid password" | eval invalid_password = host + " - Invalid password" | timechart span=1min count by invalid_password]
| appendcols [search index="raw_l1" "is already logged" | eval is_already_logged = host + " - is already logged" | timechart span=1min count by is_already_logged]

I have solved this problem using 4 appendcols…
But that made the source code large and ugly…
Is there any way I can optimize the size of the search above?

Thanks.

0 Karma

mayurr98
Super Champion

Not sure if this would work as expected or not but give it a try:

index="teste" "System error(10054)" 
| eval system_error = host + " - System error(10054)" 
| timechart span=1min count by system_error 
| appendcols 
    [ search index="raw_l1" "Warning: DB Operation took" OR "Invalid password" OR "is already logged" 
    | eval field = case(like(_raw,"%Warning: DB Operation took%"),host + " - DB Operation took",like(_raw,"%Invalid password%"), host + " - Invalid password",like(_raw,"%is already logged%"),host + " - is already logged") 
    | timechart span=1min count by field]
0 Karma

leandromatperei
Path Finder

Thanks for your reply, however they brought me some unexpected results from "Other"

Is there any way not to use this appendcols?

I just need to bring a count of these values. These are string fields containing application errors.

Ex:
System error (10054) 2
Invalid password 2
Warning: DB Operation took 2

0 Karma

mayurr98
Super Champion

try this:

(index="teste" "System error(10054)") OR (index="raw_l1" "Warning: DB Operation took" OR "Invalid password" OR "is already logged") 
| eval field = case(index="teste" AND like(_raw,"%System error(10054)%"),"system_error",index="raw_l1" AND like(_raw,"%Warning: DB Operation took%"),"DB_Operation_took",index="raw_l1" AND like(_raw,"%Invalid password%"),"invalid_password",index="raw_l1" AND like(_raw,"%is already logged%"),"is_already_logged") 
| timechart span=1min count by field
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...