Splunk Search

Appendcols error doesn't make sense

EricLloyd79
Builder

I have a query that works when I run it with a time range under 4 hours but anything at 4 hours or over, I get this error:

Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart).

This is my query:

sourcetype=xxx-prod XXXX status=foobar mdn | chart values(itemid) as itemid over mdn 
| appendcols [search sourcetype=xxx-prod XXXX status=foobar mdn | chart count(mdn) as countmdn over mdn] 
| where (countmdn >=20)

I've also tried to run this query with stats instead of chart (with a by instead of over). Is there something I'm missing? Just as a cavat, the result set is large, the query returns about 450,000 events for 4 hours (it actually will retrieve these events, the error appears at the end, when its attempting to do the appendcols I assume)

Its clear that I have appencols after my reporting command. Can anyone shed some light on this?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

I am not sure what is happening here, but you don't need appendcols at all. Doing your search this way is not efficient, plus there are limits to the number of results that will be returned from subsearches.

This will work great and be at least twice as fast:

sourcetype=xxx-prod XXXX status=foobar mdn 
| chart values(itemid) as itemid count(mdn) as countmdn  over mdn 
| where (countmdn >=20)

View solution in original post

lguinn2
Legend

I am not sure what is happening here, but you don't need appendcols at all. Doing your search this way is not efficient, plus there are limits to the number of results that will be returned from subsearches.

This will work great and be at least twice as fast:

sourcetype=xxx-prod XXXX status=foobar mdn 
| chart values(itemid) as itemid count(mdn) as countmdn  over mdn 
| where (countmdn >=20)

lguinn2
Legend

@EricLloyd79 - yes, appendcols is for combining different searches - but even then sometimes you can do it all in one search if you are creative!

0 Karma

EricLloyd79
Builder

Your query worked. Thank you. I was under the assumption that to include additional columns in your table, you needed appendcols, but I guess you can just add another column in-line. Thank you for your help. (appendcols must be for if you have two different searches)

0 Karma

EricLloyd79
Builder

Note when I run this at 3 hours or less, I get the results I want. a statistics table of 3 columns, one for MDN, one for itemid and one for the count of the MDN

0 Karma

EricLloyd79
Builder

I'm not sure but I think from the base search. After I click search, the events gradually increase and the window a message appears saying: "Parsing search" at first, then the events accumulate in the events tab up till about 450k (no statistic results appear during this time. If I click on that tab it says "No results yet found". Finally it says "Finalizing job" and then switches to the error I stated above: "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

0 Karma

somesoni2
SplunkTrust
SplunkTrust

450,000 events are returned after chart command OR from the base search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...