Splunk Enterprise

Appendpipe question

catta99
Explorer

Hi, 

i'm trying to learn how appendpipe works, to do that i've tried to do this dummy search, and i don't understand why appendpipe returns the highlighted row.

 

catta99_0-1727883685402.png

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Depending on your knowledge / background of computer systems and processing, this may or may not ring bells with you. unix-based systems (and to some extend windows although unix was there first) use a pipe construct to pass the output of one command to the input of the next. SPL does the same thing. The pipe symbol (|) delineates one command from the next and the events that have been produced so far are passed from the output of one command to the next.

In your example, there is nothing in the events pipeline before the first pipe, the makeresults command is a generating command which generates events into the pipe line (without a count argument, there is just 1 event as in this case).

This event (which just has the _time field), is passed to the eval command, which simply adds three additional fields and passes the event on to the next command (through the event pipeline).

The first appendpipe command receives the single event and outputs all the events it receives and adds on any events that are generate from the processing of the events. In this case, it adds another field (total1) to all the events (just one) that it processes and outputs those (it) to the events pipeline. There are now 2 events in the pipeline.

The second appendpipe command receives the two events and outputs all the events it receives (the two it received from the previous appendpipe command, and processes the events in the pipeline. The first event that it processes doesn't have a value in total1 (as it is the original event from the makeresults), so the total1+1 is null+1 which is null, test2 is added to the event and output to the events pipeline, The second event is then processed, which does have a value in total1 so total1 is updated in this event 5+1=6.  test2 is added to this event and output to the pipeline.

The pipeline now has 4 events in it which are what is displayed in the table.

Hopefully that is clearer now?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

appendpipe is processing all the events in the events pipeline. The second appendpipe has two events to process, the first one, which has no value for total1 so null+1=null (this is the third event), and the second which has a value of 5 so 5+5=6 (this is the fourth event)

catta99
Explorer

Thank you for your answer but, i still didn't understand why in the third event field total1=null+1.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Depending on your knowledge / background of computer systems and processing, this may or may not ring bells with you. unix-based systems (and to some extend windows although unix was there first) use a pipe construct to pass the output of one command to the input of the next. SPL does the same thing. The pipe symbol (|) delineates one command from the next and the events that have been produced so far are passed from the output of one command to the next.

In your example, there is nothing in the events pipeline before the first pipe, the makeresults command is a generating command which generates events into the pipe line (without a count argument, there is just 1 event as in this case).

This event (which just has the _time field), is passed to the eval command, which simply adds three additional fields and passes the event on to the next command (through the event pipeline).

The first appendpipe command receives the single event and outputs all the events it receives and adds on any events that are generate from the processing of the events. In this case, it adds another field (total1) to all the events (just one) that it processes and outputs those (it) to the events pipeline. There are now 2 events in the pipeline.

The second appendpipe command receives the two events and outputs all the events it receives (the two it received from the previous appendpipe command, and processes the events in the pipeline. The first event that it processes doesn't have a value in total1 (as it is the original event from the makeresults), so the total1+1 is null+1 which is null, test2 is added to the event and output to the events pipeline, The second event is then processed, which does have a value in total1 so total1 is updated in this event 5+1=6.  test2 is added to this event and output to the pipeline.

The pipeline now has 4 events in it which are what is displayed in the table.

Hopefully that is clearer now?

0 Karma

catta99
Explorer

thank you so much, now is clear

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...