appendpipe
Description
Appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe
command. The appendpipe
command is used to append the output of transforming commands, such as chart
, timechart
, stats
, and top
.
Syntax
appendpipe [run_in_preview=<bool>] [<subpipeline>]
Optional Arguments
- run_in_preview
- Syntax: run_in_preview=<bool>
- Description: Specifies whether or not display the impact of the
appendpipe
command in the preview. When set to FALSE, the search runs and the preview shows the results as if theappendpipe
command is not part of the search. However, when the search finishes, the results include the impact of theappendpipe
command. - Default: True
- subpipeline
- Syntax: <subpipeline>
- Description: A list of commands that are applied to the search results from the commands that occur in the search before the
appendpipe
command.
Usage
The appendpipe
command can be useful because it provides a summary, total, or otherwise descriptive row of the entire dataset when you are constructing a table or chart. This command is also useful when you need the original results for additional calculations.
Examples
Example 1:
Append subtotals for each action across all users.
index=_audit | stats count by action user | appendpipe [stats sum(count) as count by action | eval user = "TOTAL - ALL USERS"] | sort action
The results appear on the Statistics tab and look something like this:
action | user | count |
---|---|---|
accelerate_search | admin | 209 |
accelerate_search | buttercup | 345 |
accelerate_search | can-delete | 6 |
accelerate_search | TOTAL - ALL USERS | 560 |
add | n/a | 1 |
add | TOTAL - ALL USERS | 1 |
change_authentication | admin | 50 |
change_authentication | buttercup | 9 |
change_authentication | can-delete | 24 |
change_authentication | TOTAL - ALL USERS | 83 |
See also
append, appendcols, join, set
appendcols | arules |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!