
appendpipe
Description
Appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe
command. The appendpipe
command is used to append the output of transforming commands, such as chart
, timechart
, stats
, and top
.
Syntax
appendpipe [run_in_preview=<bool>] [<subpipeline>]
Optional Arguments
- run_in_preview
- Syntax: run_in_preview=<bool>
- Description: Specifies whether or not display the impact of the
appendpipe
command in the preview. When set to FALSE, the search runs and the preview shows the results as if theappendpipe
command is not part of the search. However, when the search finishes, the results include the impact of theappendpipe
command. - Default: True
- subpipeline
- Syntax: <subpipeline>
- Description: A list of commands that are applied to the search results from the commands that occur in the search before the
appendpipe
command.
Usage
The appendpipe
command can be useful because it provides a summary, total, or otherwise descriptive row of the entire dataset when you are constructing a table or chart. This command is also useful when you need the original results for additional calculations.
Examples
Example 1:
Append subtotals for each action across all users.
index=_audit | stats count by action user | appendpipe [stats sum(count) as count by action | eval user = "TOTAL - ALL USERS"] | sort action
The results appear on the Statistics tab and look something like this:
action | user | count |
---|---|---|
accelerate_search | admin | 209 |
accelerate_search | buttercup | 345 |
accelerate_search | can-delete | 6 |
accelerate_search | TOTAL - ALL USERS | 560 |
add | n/a | 1 |
add | TOTAL - ALL USERS | 1 |
change_authentication | admin | 50 |
change_authentication | buttercup | 9 |
change_authentication | can-delete | 24 |
change_authentication | TOTAL - ALL USERS | 83 |
See also
append, appendcols, join, set
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the appendpipe command.
PREVIOUS appendcols |
NEXT arules |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.9, 6.4.10, 6.4.11, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 6.4.8, 6.5.0, 6.5.1, 6.5.10
Comments
Are there any notable distinctions between a [<subpipeline>] and a [<subsearch>]? Clearly the first search command within the subpipeline is not a generating search command (as it would be in a subsearch), but other than that, are there any restrictions? In particular, I'm running into trouble getting the "map" command to work within an appendpipe and can't determine if that's a known limitation, intentional restriction, or just a bug.
Woodcock, thanks for noticing that. I have added a more complete description to the 'run_in_preview' argument.
There is no description to tell us what "run_in_preview" does.
Hello lalleman
Thank you for your comment. I spoke with one of our lead developers. As a result of your question, I have filed a bug to investigate this issues of using map with appendpipe. He also mentioned that the map command is not particularly scalable. Please post your question on Splunk Answers or on Slack Chat. We have a great customer community who are particularly good at helping others with their specific questions.Here are the links to both Answers and Chat:
https://answers.splunk.com/
https://splunk-usergroups.slack.com/messages/general/