https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94186#M24260 <P>That makes sense. thx.</P> Tue, 02 Jul 2013 23:20:52 GMT cpeteman 2013-07-02T23:20:52Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94177#M24251 <P>Splunk version 4.3</P> <P>search A : index=webserver1 type=error | table serverName message method<BR /> search B : index=webserver2 type=error | table serverName message method<BR /> search C : index=webserver1 type=error | table serverName message method | APPEND [index=webserver2 type=error] | table serverName message method</P> <P>search A results is 20.<BR /> search B results is 0.<BR /> search C results is 0. Why?</P> <P>I expected results is 20+0=20.</P> <P>Thanks. Everyone</P> Thu, 15 Mar 2012 22:18:58 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94177#M24251 joy76 2012-03-15T22:18:58Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94178#M24252 <P>there is an error in search C, try this:</P> <P>index=webserver1 type=error | APPEND [search index=webserver2 type=error] | table serverName message method</P> Fri, 16 Mar 2012 10:03:09 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94178#M24252 imrago 2012-03-16T10:03:09Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94179#M24253 <P>Technically two errors but you fixed them both.</P> Fri, 28 Jun 2013 20:35:52 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94179#M24253 cpeteman 2013-06-28T20:35:52Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94180#M24254 <P>There are two Problems here. The first is that in a subsearch you need to actually write out 'search' in the beginning. Also the order should be different. You first need to append them and the make it a table you can't append a table with a search. Hope this works:</P> <P>search C: index=webserver1 type=error | append [search index=webserver2 type=error] | table serverName message method</P> Fri, 28 Jun 2013 20:39:18 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94180#M24254 cpeteman 2013-06-28T20:39:18Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94181#M24255 <P>Note it makes no sense to run search C. Instead you would run: </P> <P><CODE>(index=webserver1 OR index=webserver2) type=error | table serverName message method</CODE></P> <P>and this will run much faster than using append. Append should be used only as a last resort when faster simpler methods fail.</P> Sat, 29 Jun 2013 04:02:41 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94181#M24255 sideview 2013-06-29T04:02:41Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94182#M24256 <P>Good point.</P> Mon, 01 Jul 2013 22:19:07 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94182#M24256 cpeteman 2013-07-01T22:19:07Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94183#M24257 <P>No reason to write out more than needed</P> Mon, 01 Jul 2013 22:20:59 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94183#M24257 cpeteman 2013-07-01T22:20:59Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94184#M24258 <P>Sorry one last comment. Are the parens necessary here? I'm aware of the inherent AND but would:<BR /> index=webserver1 OR index=webserver2 type=error | table serverName message method<BR /> work the same?</P> Mon, 01 Jul 2013 22:28:21 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94184#M24258 cpeteman 2013-07-01T22:28:21Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94185#M24259 <P>No, they're not necessary in the language. But when there's ambiguity, once in a while people do misinterpret what the search is doing, so I like to put in the parentheses when there's ambiguity. Along the same lines as the principle of not writing the most advanced code you can - if you do that then only some as good as you or better can read it.</P> Mon, 01 Jul 2013 23:26:21 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94185#M24259 sideview 2013-07-01T23:26:21Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94186#M24260 <P>That makes sense. thx.</P> Tue, 02 Jul 2013 23:20:52 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94186#M24260 cpeteman 2013-07-02T23:20:52Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94187#M24261 <P>Thanks for you help.</P> Thu, 08 Aug 2013 04:27:23 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94187#M24261 joy76 2013-08-08T04:27:23Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94188#M24262 <P>Sure thing.</P> Thu, 08 Aug 2013 15:02:40 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94188#M24262 cpeteman 2013-08-08T15:02:40Z https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94189#M24263 <P>should be accepted answer</P> Fri, 07 Sep 2018 11:56:43 GMT https://community.splunk.com/t5/Splunk-Search/APPEND-is-not-UNION/m-p/94189#M24263 morethanyell 2018-09-07T11:56:43Z