Appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the
appendpipe command. The
appendpipe command is used to append the output of transforming commands, such as
appendpipe [run_in_preview=<bool>] [<subpipeline>]
- Syntax: run_in_preview=<bool>
- Description: Specifies whether or not display the impact of the
appendpipecommand in the preview. When set to FALSE, the search runs and the preview shows the results as if the
appendpipecommand is not part of the search. However, when the search finishes, the results include the impact of the
- Default: True
- Syntax: <subpipeline>
- Description: A list of commands that are applied to the search results from the commands that occur in the search before the
appendpipe command can be useful because it provides a summary, total, or otherwise descriptive row of the entire dataset when you are constructing a table or chart. This command is also useful when you need the original results for additional calculations.
Append subtotals for each action across all users.
index=_audit | stats count by action user | appendpipe [stats sum(count) as count by action | eval user = "TOTAL - ALL USERS"] | sort action
The results appear on the Statistics tab and look something like this:
|accelerate_search||TOTAL - ALL USERS||380|
|add||TOTAL - ALL USERS||1|
|change_authentication||TOTAL - ALL USERS||83|
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the appendpipe command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.3, 7.0.2, 7.0.5, 7.1.3, 7.2.0