appendcols
Description
Appends the fields of the subsearch results with the input search results. All fields of the subsearch are combined into the current results, with the exception of internal fields. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.
Syntax
appendcols [override= <bool> | <subsearch-options>...] <subsearch>
Required arguments
- subsearch
- Description: A secondary search added to the main search. See how subsearches work in the Search Manual.
Optional arguments
- override
- Syntax: override=<bool>
- Description: If the
override
argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. Ifoverride=true
, the subsearch result value is used. - Default: override=false
- subsearch-options
- Syntax: maxtime=<int> | maxout=<int> | timeout=<int>
- Description: These options control how the subsearch is executed.
Subsearch options
- maxtime
- Syntax: maxtime=<int>
- Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.
- Default: 60
- maxout
- Syntax: maxout=<int>
- Description: The maximum number of result rows to output from the subsearch.
- Default: 50000
- timeout
- Syntax: timeout=<int>
- Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.
- Default: 60
Usage
The appendcols
command must be placed in a search string after a transforming command such as stats
, chart
, or timechart
. The appendcols
command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. See Command types.
Note that the subsearch argument to the appendcols
command doesn't have to contain a transforming command.
Examples
Example 1:
Search for "404" events and append the fields in each event to the previous search results.
index=_internal
| table host
| appendcols
[ search 404]
This is a valid search string because appendcols
comes after the transforming command table
and adds columns to an existing table of results.
Example 2:
This search uses appendcols
to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.
specific.server
| stats dc(userID) as totalUsers
| appendcols
[ search specific.server AND "text"
| stats count(<field>) as variableA ]
| eval variableB = exact(variableA/totalUsers)
- First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".
- Then, this search uses
appendcols
to search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command adds theinfo_min_time
andinfo_max_time
fields to the search results. Thewhere
command is used to constrain the subsearch within time range of those fields. - The eval command is used to define a "variableB".
The result is a table with the fields totalUsers
, variableA
, and variableB
.
See also
append, appendpipe, join, set
append | appendpipe |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!