appendcols
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
appendcols
Synopsis
Appends the fields of the subsearch results to current results, first results to first result, second to second, etc.
Syntax
appendcols [override=bool|subsearch-options]* subsearch
Arguments
- override
- Datatype: <bool>
- Description: If option override is false (default), if a field is present in both a subsearch result and the main result, the main result is used
Description
Appends fields of the results of the subsearch into input search results by combining the external fields of the subsearch (fields that do not start with '_') into the current results. The first subsearch result is merged with the first main result, the second with the second, and so on. If option override is false (default), if a field is present in both a subsearch result and the main result, the main result is used. If it is true, the subsearch result's value for that field is used.
Examples
Example 1: Search for "404" events and append the fields in each event to the previous search results.
... | appendcols [search 404]
See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.