topic Help understanding appendpipe in Splunk Search

Help understanding appendpipe

chirsf — Tue, 02 Mar 2021 13:02:38 GMT

Hi,

I didn't find anything about this while searching so here's my question.

I'm working on the proving a negative problem, adding appendpipe after a stats in order to display a result of 0 for each day for the period of time I need. I usually do this for a single row, however I need to have multiple rows for multiple days as output for stats or more importantly timechart.

I ran into a scenario I cannot explain and wanted to understand further. While testing I created this search:

The results of this output 256 results for a single date/time, and others follow with smaller amounts but not counts of 1.

If I change it to this:

Every row has a single count except for one, which makes sense given how this is written. I can move forward with this, but now I would like to know why this happens.

Re: Help understanding appendpipe

ITWhisperer — Tue, 02 Mar 2021 13:34:43 GMT

appendpipe is operating on each event in the pipeline, so the first appendpipe only has one event (the first you created with makeresults) to work with, and it appends a new event to the pipeline. The second appendpipe now has two events to work with, so it appends a new event for each event, making a total of 4. The third appendpipe doubles your events again, and so on.

Re: Help understanding appendpipe

chirsf — Tue, 02 Mar 2021 14:34:43 GMT

Thanks, this makes total sense. I don't know if my solution here is the correct one, I mean it works so in that vein it's correct. However I feel like it's.. a hack lol.

Re: Help understanding appendpipe

ITWhisperer — Tue, 02 Mar 2021 14:48:00 GMT

Your approach is probably more hacky than others I have seen 😀 - you could use append with makeresults (append at the end of the pipeline rather than after each event), you could use union with makeresults, you could use makecontinuous over the time field (although you would need more than one event so append/makeresults or something similar would still be required). There are many ways to skin that cat. 😀

Re: Help understanding appendpipe

chirsf — Tue, 02 Mar 2021 14:54:20 GMT

Yea I thought about using makecontinuous but I cannot guarantee even a single event will show up for the time range I'm looking for to use that, or I misunderstand how that works. Thanks for the leads on the other ideas i appreciate it.

Re: Help understanding appendpipe

chirsf — Tue, 02 Mar 2021 15:32:32 GMT

Thanks to mmcul on slack this is the answer I'm going with:

| append [| gentimes start=-14 end=0 increment=1d | eval _time=starttime, category="test", value=0 | fields _time, category, value ]