Improve search reducing appendcols

internet_team · ‎09-22-2014

Hello,

is there any way to improve this search by reducing appendcols number ? Source is the same, only download_time average should be calculate according url string regex.

Current search :

sourcetype="my_source_type" source="frt" url="/F-" | timechart avg(download_time) as "Family" | appendcols [search

sourcetype="my_source_type" source="*frt" url="/P-" | timechart avg(download_time) as "Product"] | appendcols [search

sourcetype="my_source_type" source="*frt" url="/C-" | timechart avg(download_time) as "Category"] | appendcols [search

sourcetype="my_source_type" source="*frt" url="/main" | timechart avg(download_time) as "Homepage"]

Thanks,

wpreston · ‎09-22-2014

Sure, I think you can eliminate appendcols altogether in this search. Try something like this:

sourcetype="my_source_type" source="frt" (url="/F-" OR url="/P-" OR url="/C-*" OR url="/main") | eval Identifier=case(url == "/F-", "Family",url == "/P-", "Product",url == "/C-*", "Category", url == "/main", "Homepage") | timechart avg(download_time) by Identifier

gfuente · ‎09-22-2014

Hello

It would be nice to have some sample events, but with the information you had provided try this:

sourcetype="my_source_type" source="frt" (url="/F-" OR  url="/P-" OR url="/C-*" OR url="/main"  ) | rex field="url" "\/(?<group>main|(C|P|F))" | timechart avg(download_time) by group

You could rename the outfput fields if needed.

Regards

Improve search reducing appendcols

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms