Appends the fields of the subsearch results with the input search results. External fields of the subsearch that do not start with an underscore character ( _ ) are not combined into the current results. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.
appendcols [override= <bool> | <subsearch-options>...] <subsearch>
- Description: A secondary search added to the main search. See how subsearches work in the Search Manual.
- Syntax: override=<bool>
- Description: If the
overrideargument is false, and if a field is present in both a subsearch result and the main result, the main result is used. If
override=true, the subsearch result value is used.
- Default: override=false
- Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
- Description: These options control how the subsearch is executed.
- Syntax: maxtime=<int>
- Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.
- Default: 60
- Syntax: maxout=<int>
- Description: The maximum number of result rows to output from the subsearch.
- Default: 50000
- Syntax: timeout=<int>
- Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.
- Default: 60
Search for "404" events and append the fields in each event to the previous search results.
... | appendcols [search 404]
This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.
specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | addinfo | where _time >= info_min_time AND _time <=info_max_time | stats count(field) as variableA ] | eval variableB = exact(variableA/totalUsers)
- First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".
- Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command is used to constrain this subsearch within the range of info_min_time and info_max_time.
- The eval command is used to define a "variableB".
The result is a table with the fields totalUsers, variableA, and variableB.
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103