https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501847#M139702 <P>That's the way <CODE>appendcols</CODE> works. The results from search 2 are added to the results from search 1 on a one-to-one basis. If there are fewer results in search 2 then some results from search 1 will not have the added columns. Also, note that the order in which the results are returned from each search should be the same so the one-to-one pairing of results makes sense.</P> <P>If you need the results from search 2 to be replicated to all results of search 1 then perhaps <CODE>filldown</CODE> will do.</P> Thu, 21 May 2020 12:46:48 GMT richgalloway 2020-05-21T12:46:48Z https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501846#M139701 <P>Hi,</P> <P>i have a query that returns two lines of results based on two hosts.<BR /> i then get a result from another query that only returns one line.<BR /> When i do the eval command i get a correct 'Match' for the first line but no entry for the second.</P> <P>How do i apply the 'appendcol' result to both lines?</P> <PRE><CODE>index =systems sourcetype = stream_stack PID=0x0055 | eval Packets=packets*208 | stats latest(Packets) AS Packets by host | appendcols [ search index=systems sourcetype=soms_file_size process=soms | stats latest(file_size) AS file_size latest(file_name) AS file_name by process ] | eval match=if(Packets=file_size,"OK","Error") | table process match Packets file_size file_name host </CODE></PRE> <P>RESULT</P> <PRE><CODE>process match file_size file_name host soms OK 27666832 DR_270919_P_5068_719_750_750.out chietrp01 Error chietrp02 </CODE></PRE> <P>thanks,</P> Thu, 21 May 2020 11:19:59 GMT https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501846#M139701 ssaenger 2020-05-21T11:19:59Z https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501847#M139702 <P>That's the way <CODE>appendcols</CODE> works. The results from search 2 are added to the results from search 1 on a one-to-one basis. If there are fewer results in search 2 then some results from search 1 will not have the added columns. Also, note that the order in which the results are returned from each search should be the same so the one-to-one pairing of results makes sense.</P> <P>If you need the results from search 2 to be replicated to all results of search 1 then perhaps <CODE>filldown</CODE> will do.</P> Thu, 21 May 2020 12:46:48 GMT https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501847#M139702 richgalloway 2020-05-21T12:46:48Z https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501848#M139703 <P>Thank you richgalloway this worked.</P> <P>For those seeking solution, here is the code for filldown, nice and easy - </P> <PRE><CODE> index =systems sourcetype = stream_stack PID=0x0055 | eval Packets=packets*208 | stats latest(Packets) AS Packets by host | appendcols [ search index=systems sourcetype=soms_file_size process=soms | stats latest(file_size) AS file_size latest(file_name) AS file_name by process ] | filldown process, file_size, file_name | eval match=if(Packets=file_size,"OK","Error") | table process match Packets file_size file_name host </CODE></PRE> Sun, 24 May 2020 08:43:48 GMT https://community.splunk.com/t5/Splunk-Search/Add-a-for-loop-on-eval-command-for-number-of-hosts/m-p/501848#M139703 ssaenger 2020-05-24T08:43:48Z