Splunk Cloud Platform

Search Reference



Appends the fields of the subsearch results with the input search results. All fields of the subsearch are combined into the current results, with the exception of internal fields. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.


appendcols [override= <bool> | <subsearch-options>...] <subsearch>

Required arguments

Description: A secondary search added to the main search. See how subsearches work in the Search Manual.

Optional arguments

Syntax: override=<bool>
Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. If override=true, the subsearch result value is used.
Default: override=false
Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
Description: These options control how the subsearch is executed.

Subsearch options

Syntax: maxtime=<int>
Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.
Default: 60
Syntax: maxout=<int>
Description: The maximum number of result rows to output from the subsearch.
Default: 50000
Syntax: timeout=<int>
Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.
Default: 60


The appendcols command must be placed in a search string after a transforming command such as stats, chart, or timechart. The appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. See Command types.

Note that the subsearch argument to the appendcols command doesn't have to contain a transforming command.


Example 1:

Search for "404" events and append the fields in each event to the previous search results.

index=_internal | table host | appendcols [ search 404]

This is a valid search string because appendcols comes after the transforming command table and adds columns to an existing table of results.

Example 2:

This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.

specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | stats count(<field>) as variableA ] | eval variableB = exact(variableA/totalUsers)

  • First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".
  • Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command adds the info_min_time and info_max_time fields to the search results. The where command is used to constrain the subsearch within time range of those fields.
  • The eval command is used to define a "variableB".

The result is a table with the fields totalUsers, variableA, and variableB.

See also

append, appendpipe, join, set

Last modified on 27 October, 2023
append   appendpipe

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters