appendpipe
Description
Appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe command. The appendpipe command is used to append the output of transforming commands, such as chart, timechart, stats, and top.
Syntax
appendpipe [run_in_preview=<bool>] [<subpipeline>]
Optional Arguments
- run_in_preview
- Syntax: run_in_preview=<bool>
- Description: Specifies whether or not display the impact of the
appendpipecommand in the preview. When set to FALSE, the search runs and the preview shows the results as if theappendpipecommand is not part of the search. However, when the search finishes, the results include the impact of theappendpipecommand. - Default: True
- subpipeline
- Syntax: <subpipeline>
- Description: A list of commands that are applied to the search results from the commands that occur in the search before the
appendpipecommand.
Usage
The appendpipe command can be useful because it provides a summary, total, or otherwise descriptive row of the entire dataset when you are constructing a table or chart. This command is also useful when you need the original results for additional calculations.
Examples
Example 1:
Append subtotals for each action across all users.
index=_audit | stats count by action user | appendpipe [stats sum(count) as count by action | eval user = "TOTAL - ALL USERS"] | sort action
The results appear on the Statistics tab and look something like this:
| action | user | count |
|---|---|---|
| accelerate_search | admin | 209 |
| accelerate_search | buttercup | 345 |
| accelerate_search | can-delete | 6 |
| accelerate_search | TOTAL - ALL USERS | 560 |
| add | n/a | 1 |
| add | TOTAL - ALL USERS | 1 |
| change_authentication | admin | 50 |
| change_authentication | buttercup | 9 |
| change_authentication | can-delete | 24 |
| change_authentication | TOTAL - ALL USERS | 83 |
See also
append, appendcols, join, set
| appendcols | arules |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!