Hi,

i am doing a search with append and i am trying to optimize it.
this is my search:

index=myind source=mysrc POOL_ID=id  | eval TOTAL_RATE=(READ_XFER_RATE + WRITE_XFER_RATE)/1024 | eval ReportKey="Total Transfer" | append [search index=myind source=mysrc POOL_ID=id | eval TOTAL_RATE=READ_XFER_RATE/1024 | eval ReportKey="Read Transfer" | append [search index=myind source=mysrc POOL_ID=id | eval TOTAL_RATE=WRITE_XFER_RATE/1024 | eval ReportKey="Write Transfer"]] | timechart span=1m max(TOTAL_RATE) by ReportKey

my problem is with all the appends, it's not very good.
i already get all the data i need in the first search, why do it again? 😛

so i want to do something like this:

index=myind source=mysrc POOL_ID=id | eval TOTAL_RATE=(READ_XFER_RATE + WRITE_XFER_RATE)/1024 | eval TOTAL_READ=READ_XFER_RATE/1024 | eval TOTAL_WRITE=WRITE_XFER_RATE/1024

the next thing i want is to pair each eval with a name, like this:

eval TOTAL_RATE=(READ_XFER_RATE + WRITE_XFER_RATE)/1024 "Total Transfer" | eval TOTAL_READ=READ_XFER_RATE/1024 "Read Transfer" | eval TOTAL_WRITE=WRITE_XFER_RATE "Write Transfer"

and in the end do a timechart for each eval by its label.

so in the end, the search should be in this mindset:

index=myind source=mysrc POOL_ID=id | eval TOTAL_RATE=(READ_RESPONSE_RATE + WRITE_RESPONSE_RATE)/2/1000 | eval TOTAL_READ=READ_RESPONSE_RATE/1000 | eval TOTAL_WRITE=WRITE_RESPONSE_RATE | table _time,TOTAL_RATE,TOTAL_WRITE,TOTAL_READ | 

is it possible?
if so, how to make the magic happen?

Thank you!