Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



Appends the fields of the subsearch results with the input search results. External fields of the subsearch that do not start with an underscore character ( _ ) are not combined into the current results. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.


appendcols [override= <bool> | <subsearch-options>...] <subsearch>

Required arguments

Description: A secondary search added to the main search. See how subsearches work in the Search Manual.

Optional arguments

Syntax: override=<bool>
Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. If override=true, the subsearch result value is used.
Default: override=false
Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
Description: These options control how the subsearch is executed.

Subsearch options

Syntax: maxtime=<int>
Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.
Default: 60
Syntax: maxout=<int>
Description: The maximum number of result rows to output from the subsearch.
Default: 50000
Syntax: timeout=<int>
Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.
Default: 60


Example 1:

Search for "404" events and append the fields in each event to the previous search results.

... | appendcols [search 404]

Example 2:

This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.

specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | addinfo | where _time >= info_min_time AND _time <=info_max_time | stats count(field) as variableA ] | eval variableB = exact(variableA/totalUsers)

  • First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".
  • Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command is used to constrain this subsearch within the range of info_min_time and info_max_time.
  • The eval command is used to define a "variableB".

The result is a table with the fields totalUsers, variableA, and variableB.

See also

append, appendpipe, join, set


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the appendcols command.


This documentation applies to the following versions of Splunk Cloud: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters