Splunk Search
Highlighted

APPEND is not UNION?

Path Finder

Splunk version 4.3

search A : index=webserver1 type=error | table serverName message method
search B : index=webserver2 type=error | table serverName message method
search C : index=webserver1 type=error | table serverName message method | APPEND [index=webserver2 type=error] | table serverName message method

search A results is 20.
search B results is 0.
search C results is 0. Why?

I expected results is 20+0=20.

Thanks. Everyone

Tags (1)
Highlighted

Re: APPEND is not UNION?

Contributor

there is an error in search C, try this:

index=webserver1 type=error | APPEND [search index=webserver2 type=error] | table serverName message method

0 Karma
Highlighted

Re: APPEND is not UNION?

Contributor

Technically two errors but you fixed them both.

Highlighted

Re: APPEND is not UNION?

Contributor

There are two Problems here. The first is that in a subsearch you need to actually write out 'search' in the beginning. Also the order should be different. You first need to append them and the make it a table you can't append a table with a search. Hope this works:

search C: index=webserver1 type=error | append [search index=webserver2 type=error] | table serverName message method

Highlighted

Re: APPEND is not UNION?

Path Finder

Thanks for you help.

Highlighted

Re: APPEND is not UNION?

Contributor

Sure thing.

0 Karma
Highlighted

Re: APPEND is not UNION?

Contributor

should be accepted answer

0 Karma
Highlighted

Re: APPEND is not UNION?

SplunkTrust
SplunkTrust

Note it makes no sense to run search C. Instead you would run:

(index=webserver1 OR index=webserver2) type=error | table serverName message method

and this will run much faster than using append. Append should be used only as a last resort when faster simpler methods fail.

Highlighted

Re: APPEND is not UNION?

Contributor

Good point.

0 Karma
Highlighted

Re: APPEND is not UNION?

Contributor

No reason to write out more than needed

0 Karma