Appends the results of a subsearch to the current results.
append command runs only over historical data and does not produce correct results if used in a real-time search.
For more information about when to use the append command, see the flowchart in the topic About event grouping and correlation in the Search Manual.
If you are familiar with SQL but new to SPL, see Splunk SPL for SQL users.
append [<subsearch-options>...] <subsearch>
- Description: A secondary search where you specify the source of the events that you want to append. See About subsearches in the Search Manual.
- Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
- Description: Controls how the subsearch is executed.
- Syntax: maxtime=<int>
- Description: The maximum time, in seconds, to spend on the subsearch before automatically finalizing.
- Default: 60
- Syntax: maxout=<int>
- Description: The maximum number of result rows to output from the subsearch.
- Default: 50000
- Syntax: timeout=<int>
- Description: The maximum time, in seconds, to wait for subsearch to fully finish.
- Default: 60
1: Use the append command to add column totals.
|This example uses recent earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so on, for each earthquake recorded.
You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to the search.
Count the number of earthquakes that occurred in and around California yesterday and then calculate the total number of earthquakes.
source=usgs place=*California* | stats count by magType | append [search index=usgs_* source=usgs place=*California* | stats count]
This example searches for all the earthquakes in the California regions (
Region="*California"), then counts the number of earthquakes based on the magnitude type of the search.
You cannot use the
stats command to simultaneously count the total number of events and the number of events for a specified field. The subsearch is used to count the total number of earthquakes that occurred. This count is added to the results of the previous search with the
Because both searches share the
count field, the results of the subsearch are listed as the last row in the column.
This search demonstrates how to use the
append command in a way that is similar to using the
addcoltotals command to add the column totals.
2. Count the number of different customers who purchased items. Append the top purchaser for each type of product.
|This example uses the sample dataset from the Search Tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it into the Splunk platform. Then, run this search using the time range, Other > Yesterday.|
Count the number of different customers who purchased something from the Buttercup Games online store yesterday, and break this count down by the type of product (accessories, t-shirts, and type of games) they purchased. Also, list the top purchaser for each type of product and how much that person bought of that product.
sourcetype=access_* action=purchase | stats dc(clientip) BY categoryId | append [search sourcetype=access_* action=purchase | top 1 clientip BY categoryId] | table categoryId, dc(clientip), clientip, count
This example first searches for purchase events (
action=purchase). These results are piped into the
stats command and the
distinct_count() function is used to count the number of different users who make purchases. The
BY clause is used to break up this number based on the different category of products (
This example contains a subsearch as an argument for the
...[search sourcetype=access_* action=purchase | top 1 clientip BY categoryId]
The subsearch is used to search for purchase events and count the top purchaser (based on
clientip) for each category of products. These results are added to the results of the previous search using the
table command is used to display only the category of products (
categoryId), the distinct count of users who bought each type of product (
dc(clientip)), the actual user who bought the most of a product type (
clientip), and the number of each product that user bought (
You can see that the
append command just tacks on the results of the subsearch to the end of the previous search, even though the results share the same field values. It does not let you manipulate or reformat the output.
3. Use the append command to determine the number of unique IP addresses that accessed the Web server.
append command, along with the
top commands to determine the number of unique IP addresses that accessed the Web server. Find the user who accessed the Web server the most for each type of page request.
|This example uses the sample dataset from the Search Tutorial but should work with any format of Apache Web access log. Download the data set and follow the instructions to upload it to the search.|
Count the number of different IP addresses that accessed the Web server and also find the user who accessed the Web server the most for each type of page request (
sourcetype=access_* | stats dc(clientip), count by method | append [search sourcetype=access_* | top 1 clientip by method]
The Web access events are piped into the
stats command and the
dc() or distinct_count() function is used to count the number of different users who accessed the site. The
count() function is used to count the total number of times the site was accessed. These numbers are separated by the page request (
The subsearch is used to find the top user for each type of page request (
append command is used to add the result of the subsearch to the bottom of the table:
The first two rows are the results of the first search. The last two rows are the results of the subsearch. Both result sets share the
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the append command.
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1, 7.0.2