https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/573881#M8573 <LI-CODE lang="markup">search | table A B C | append [search | table A B C]</LI-CODE> Fri, 05 Nov 2021 23:30:04 GMT ITWhisperer 2021-11-05T23:30:04Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/573879#M8572 <P>Hello</P><P>Is it possible to append two searches?</P><P>I have a search that ends in:</P><P>| table A B C</P><P>And I want to append to the above some values under A, B, C that I calculate.</P><P>Can you tell me please the syntax for that?</P><P>Thanks!</P> Fri, 05 Nov 2021 23:27:29 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/573879#M8572 SplnkUse 2021-11-05T23:27:29Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/573881#M8573 <LI-CODE lang="markup">search | table A B C | append [search | table A B C]</LI-CODE> Fri, 05 Nov 2021 23:30:04 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/573881#M8573 ITWhisperer 2021-11-05T23:30:04Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/576496#M8616 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; thanks but I cannot make it work, it seems it does not keep aliases within the brackets and run the whole thing as one, instead of each separately and then join, is there any solution?</P> Sun, 28 Nov 2021 01:14:31 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/576496#M8616 SplnkUse 2021-11-28T01:14:31Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/576507#M8617 <P>What is the actual search that you are using?</P> Sun, 28 Nov 2021 07:34:47 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/576507#M8617 ITWhisperer 2021-11-28T07:34:47Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578184#M8640 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; thanks, I am trying to combine searches in the following format. I know it may be difficult to picture the below but I cannot post more exact data.</P><P>&nbsp;</P><P>I think the problem is that&nbsp; the:</P><P>&nbsp;eval a="aaa"</P><P>is contained in two different searches and is set to different values.</P><P>Any idea?</P><P><STRONG>index=a aa!="" | fields aa </STRONG><BR /><STRONG>| stats count by aa</STRONG><BR /><STRONG>| eval a="aa"</STRONG><BR /><STRONG>| eval Timestamp=strftime(now(),"%d/%m/%Y %H:%M:00")</STRONG><BR /><STRONG>| table a b c</STRONG></P><P><STRONG>| append [</STRONG><BR /><STRONG>search</STRONG><BR /><STRONG>index=aa or index=bbb</STRONG><BR /><STRONG>| eval</STRONG><BR /><STRONG>| stats</STRONG><BR /><STRONG>| eval a="aaa"</STRONG><BR /><STRONG>| eval Timestamp=strftime(now(),"%d/%m/%Y %H:%M:00")</STRONG><BR /><STRONG>| table a bb cc</STRONG><BR /><STRONG>]</STRONG><BR /><STRONG>| append [</STRONG><BR /><STRONG>search</STRONG><BR /><STRONG>index=aa or index=bbb</STRONG><BR /><STRONG>| eval</STRONG><BR /><STRONG>| stats</STRONG><BR /><STRONG>| eval a="aaaa"</STRONG><BR /><STRONG>| eval Timestamp=strftime(now(),"%d/%m/%Y %H:%M:00")</STRONG><BR /><STRONG>| table a bbb ccc</STRONG></P> Mon, 13 Dec 2021 11:23:26 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578184#M8640 SplnkUse 2021-12-13T11:23:26Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578191#M8641 <P>This is the right sort of syntax - what is the issue you are facing with doing it this way?</P> Mon, 13 Dec 2021 12:42:18 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578191#M8641 ITWhisperer 2021-12-13T12:42:18Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578540#M8642 <P><STRONG><FONT face="courier new,courier">| append [...]</FONT></STRONG> will append the inner search results to the outer search. For example: <FONT face="courier new,courier">index=foo | stats count | append [index=bar | stats count]</FONT></P><P><STRONG><FONT face="courier new,courier">| appendpipe [...]</FONT> </STRONG>will prolongate the outer search with the inner search modifications, and append the results instead of replacing them. For example: <FONT face="courier new,courier">... | appendpipe [ | stats count as extracount]</FONT></P><P><FONT face="courier new,courier"><STRONG>| eventstats ...</STRONG> </FONT>will add extra columns to an existing table with a treatment like a stats, without any further transformation. For example <FONT face="courier new,courier">| eventstats avg(bytes) by server&nbsp;</FONT></P><P><FONT face="courier new,courier"><STRONG>| streamstats ...</STRONG> </FONT>will add extra columns to an existing table, but each calculated result depend on the previous results. For example:&nbsp; <FONT face="courier new,courier">| streamstats count as rank</FONT></P><P>For your needs, append may not be what you're looking for. The 2 searches are independant.</P> Wed, 15 Dec 2021 20:34:34 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578540#M8642 ldongradi_SPL 2021-12-15T20:34:34Z https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578542#M8643 <P>The syntax looks ok, but each of your subsearches returns different set of fields. If you want to have three columns as output, you have to return the same set of fields from each of subsearches. Do a rename at the end of your subsearches so that the returned fields are named consistently.</P><P>&nbsp;</P> Wed, 15 Dec 2021 20:40:37 GMT https://community.splunk.com/t5/Knowledge-Management/Appending-tables-in-searches/m-p/578542#M8643 PickleRick 2021-12-15T20:40:37Z