Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF



Appends the fields of the subsearch results to current results, first results to first result, second to second, etc.


appendcols [override=bool|subsearch-options]* subsearch

Required arguments

Description: A search pipeline. Read more about how subsearches work in the User manual.

Optional arguments

Datatype: <bool>
Description: If option override is false (default), if a field is present in both a subsearch result and the main result, the main result is used.
Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
Description: Controls how the subsearch is executed.

Subsearch options

Syntax: maxtime=<int>
Description: The maximum time (in seconds) to spend on the subsearch before automatically finalizing. Defaults to 60.
Syntax: maxout=<int>
Description: The maximum number of result rows to output from the subsearch. Defaults to 50000.
Syntax: timeout=<int>
Description: The maximum time (in seconds) to wait for subsearch to fully finish. Defaults to 120.


Appends fields of the results of the subsearch into input search results by combining the external fields of the subsearch (fields that do not start with '_') into the current results. The first subsearch result is merged with the first main result, the second with the second, and so on. If option override is false (default), if a field is present in both a subsearch result and the main result, the main result is used. If it is true, the subsearch result's value for that field is used.


Example 1: Search for "404" events and append the fields in each event to the previous search results.

... | appendcols [search 404]

See also

append, join, set


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the appendcols command.


This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters