Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

appendpipe

Description

Appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe command. The appendpipe command is used to append the output of transforming commands, such as chart, timechart, stats, and top.

Syntax

appendpipe [run_in_preview=<bool>] [<subpipeline>]

Optional Arguments

run_in_preview
Syntax: run_in_preview=<bool>
Description: Specifies whether or not display the impact of the appendpipe command in the preview. When set to FALSE, the search runs and the preview shows the results as if the appendpipe command is not part of the search. However, when the search finishes, the results include the impact of the appendpipe command.
Default: True
subpipeline
Syntax: <subpipeline>
Description: A list of commands that are applied to the search results from the commands that occur in the search before the appendpipe command.

Usage

The appendpipe command can be useful because it provides a summary, total, or otherwise descriptive row of the entire dataset when you are constructing a table or chart. This command is also useful when you need the original results for additional calculations.

Examples

Example 1:

Append subtotals for each action across all users.

index=_audit | stats count by action user | appendpipe [stats sum(count) as count by action | eval user = "TOTAL - ALL USERS"] | sort action

The results appear on the Statistics tab and look something like this:

action user count
accelerate_search admin 209
accelerate_search buttercup 345
accelerate_search can-delete 6
accelerate_search TOTAL - ALL USERS 560
add n/a 1
add TOTAL - ALL USERS 1
change_authentication admin 50
change_authentication buttercup 9
change_authentication can-delete 24
change_authentication TOTAL - ALL USERS 83

See also

append, appendcols, join, set

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the appendpipe command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Appendpipe:4.1&oldid=984840"
PREVIOUS
appendcols 		  NEXT
arules

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.10, 6.3.11, 6.3.12, 6.3.14, 4.3.1, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0, 6.3.2, 6.3.3, 6.3.4

Comments

Hello lalleman
Thank you for your comment. I spoke with one of our lead developers. As a result of your question, I have filed a bug to investigate this issues of using map with appendpipe. He also mentioned that the map command is not particularly scalable. Please post your question on Splunk Answers or on Slack Chat. We have a great customer community who are particularly good at helping others with their specific questions.Here are the links to both Answers and Chat:
https://answers.splunk.com/
https://splunk-usergroups.slack.com/messages/general/

Lstewart splunk, Splunker
February 2, 2016

Are there any notable distinctions between a [<subpipeline>] and a [<subsearch>]? Clearly the first search command within the subpipeline is not a generating search command (as it would be in a subsearch), but other than that, are there any restrictions? In particular, I'm running into trouble getting the "map" command to work within an appendpipe and can't determine if that's a known limitation, intentional restriction, or just a bug.

Lalleman
January 28, 2016

Woodcock, thanks for noticing that. I have added a more complete description to the 'run_in_preview' argument.

Lstewart splunk, Splunker
December 4, 2015

There is no description to tell us what "run_in_preview" does.

Woodcock
October 16, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters