Hey guys,

I asked a question recently about an appended column on a graph not selecting the correct events when it is clicked on. Iguinn provided me with a query(Thanks!) that allowed the columns to filter correctly and select the right events. I have to add two more columns to this graph, and I am running into the same problem I was having when I was trying to use append, which is that it does not filter the events correctly into the appended columns on the graph.

Both of these fields have been extracted and appear correctly when they are not appended.

My query is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | stats count by ErrorType | append [ search sourcetype=testing AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = if(AccessDenied=="access denied",AccessDenied,PageNotFound) | stats count by ErrorType ]

These commands both work when they are not appended. When I select either the AccessDenied column or the PageNotFound column, I get 0 events, even though the graph says there are three.

The search query when I select these appended columns is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | search ErrorType="access denied" when I select one of these appended columns. If I select a non-appended column, the query is the same, except it says search ErrorType="PHP Fatal Error"

Why are appended columns not functioning properly on this graph?

Thanks