Appends the fields of the subsearch results with the input search results. All fields of the subsearch are combined into the current results, with the exception of internal fields. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.
appendcols [override= <bool> | <subsearch-options>...] <subsearch>
- Description: A secondary search added to the main search. See how subsearches work in the Search Manual.
- Syntax: override=<bool>
- Description: If the
overrideargument is false, and if a field is present in both a subsearch result and the main result, the main result is used. If
override=true, the subsearch result value is used.
- Default: override=false
- Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
- Description: These options control how the subsearch is executed.
- Syntax: maxtime=<int>
- Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.
- Default: 60
- Syntax: maxout=<int>
- Description: The maximum number of result rows to output from the subsearch.
- Default: 50000
- Syntax: timeout=<int>
- Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.
- Default: 60
appendcols command must be placed in a search string after a transforming command such as
appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. See Command types.
Note that the subsearch argument to the
appendcols command doesn't have to contain a transforming command.
Search for "404" events and append the fields in each event to the previous search results.
index=_internal | table host | appendcols [search 404]
This is a valid search string because
appendcols comes after the transforming command
table and adds columns to an existing table of results.
This search uses
appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.
specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | addinfo | where _time >= info_min_time AND _time <=info_max_time | stats count(<field>) as variableA ] | eval variableB = exact(variableA/totalUsers)
- First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".
- Then, this search uses
appendcolsto search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command adds the
info_max_timefields to the search results. The
wherecommand is used to constrain the subsearch within time range of those fields.
- The eval command is used to define a "variableB".
The result is a table with the fields
append, appendpipe, join, set
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.1, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 8.0.0, 8.0.10, 8.0.2
Feedback submitted, thanks!