Hi Splunkers!
Just wondering whether anyone can advise me on how to tune the following search statement?
The reason why I use appendcols is I need to get results from multiple fields with multiple conditions.
index="teste" "System error(10054)" | eval system_error = host + " - System error(10054)" | timechart span=1min count by system_error
| appendcols [search index="raw_l1" "Warning: DB Operation took" | eval DB_Operation_took = host + " - DB Operation took" | timechart span=1min count by DB_Operation_took]
| appendcols [search index="raw_l1" "Invalid password" | eval invalid_password = host + " - Invalid password" | timechart span=1min count by invalid_password]
| appendcols [search index="raw_l1" "is already logged" | eval is_already_logged = host + " - is already logged" | timechart span=1min count by is_already_logged]
I have solved this problem using 4 appendcols…
But that made the source code large and ugly…
Is there any way I can optimize the size of the search above?
Thanks.
↧