Append command not working to combine two searches...

kanj · ‎02-06-2020

Hello there,

Step1:
user software_name dc_today dc_past
A XYZ.exe 1 9
B PQR.exe 2 3
C DTA.exe 0 1

The final result should be:
user software_name dc_today
A XYZ.exe 1

So I am running two similar searches with differences in timespan.
1) Append is not reflecting the sub-search
2) Is there more efficient way for this?

Thanks in advance!
KanJ

to4kawa · ‎02-06-2020

 index=* earliest=-1d 
| stats dc(user) as dc by software_name 
| eval dc_today=if(dc=1, 1, 0) 
| append 
    [ search index=* earliest=-5d 
    | stats dc(user) as dc by software_name 
    | eval dc_past=if(dc=1,1,0)] 
| table user software_name dc_today dc_past

The user of your query is disappear. because stats aggregates.

index=* earliest=-5d 
| stats dc(eval(if(related_time(now(),"-1d") <= _time,user,NULL))) as dc_today dc(user) as dc_past by software_name

Unique user count in software name is above.

The final result should be:
user software_name dc_today
A XYZ.exe 1

What's your logic?

Append command not working to combine two searches with the same result but events occurred in two different timespans

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Append command not working to combine two searches with the same result but events occurred in two different timespans

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!