Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

appendcols

Description

Appends the fields of the subsearch results with the input search results. External fields of the subsearch that do not start with an underscore character ( _ ) are not combined into the current results. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.

Syntax

appendcols [override= <bool> | <subsearch-options>...] <subsearch>

Required arguments

subsearch
Description: A secondary search added to the main search. See how subsearches work in the Search Manual.

Optional arguments

override
Syntax: override=<bool>
Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. If override=true, the subsearch result value is used.
Default: override=false
subsearch-options
Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
Description: These options control how the subsearch is executed.

Subsearch options

maxtime
Syntax: maxtime=<int>
Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.
Default: 60
maxout
Syntax: maxout=<int>
Description: The maximum number of result rows to output from the subsearch.
Default: 50000
timeout
Syntax: timeout=<int>
Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.
Default: 60

Examples

Example 1:

Search for "404" events and append the fields in each event to the previous search results.

... | appendcols [search 404]

Example 2:

This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.

specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | addinfo | where _time >= info_min_time AND _time <=info_max_time | stats count(field) as variableA ] | eval variableB = exact(variableA/totalUsers)

  • First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".
  • Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command is used to constrain this subsearch within the range of info_min_time and info_max_time.
  • The eval command is used to define a "variableB".


The result is a table with the fields totalUsers, variableA, and variableB.

See also

append, appendpipe, join, set

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the appendcols command.

PREVIOUS
append
  NEXT
appendpipe

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters