Splunk Search

Appendcols error doesn't make sense

Builder

I have a query that works when I run it with a time range under 4 hours but anything at 4 hours or over, I get this error:

Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart).

This is my query:

sourcetype=xxx-prod XXXX status=foobar mdn | chart values(itemid) as itemid over mdn 
| appendcols [search sourcetype=xxx-prod XXXX status=foobar mdn | chart count(mdn) as countmdn over mdn] 
| where (countmdn >=20)

I've also tried to run this query with stats instead of chart (with a by instead of over). Is there something I'm missing? Just as a cavat, the result set is large, the query returns about 450,000 events for 4 hours (it actually will retrieve these events, the error appears at the end, when its attempting to do the appendcols I assume)

Its clear that I have appencols after my reporting command. Can anyone shed some light on this?

Tags (2)
0 Karma
1 Solution

Legend

I am not sure what is happening here, but you don't need appendcols at all. Doing your search this way is not efficient, plus there are limits to the number of results that will be returned from subsearches.

This will work great and be at least twice as fast:

sourcetype=xxx-prod XXXX status=foobar mdn 
| chart values(itemid) as itemid count(mdn) as countmdn  over mdn 
| where (countmdn >=20)

View solution in original post

Legend

I am not sure what is happening here, but you don't need appendcols at all. Doing your search this way is not efficient, plus there are limits to the number of results that will be returned from subsearches.

This will work great and be at least twice as fast:

sourcetype=xxx-prod XXXX status=foobar mdn 
| chart values(itemid) as itemid count(mdn) as countmdn  over mdn 
| where (countmdn >=20)

View solution in original post

Legend

@EricLloyd79 - yes, appendcols is for combining different searches - but even then sometimes you can do it all in one search if you are creative!

0 Karma

Builder

Your query worked. Thank you. I was under the assumption that to include additional columns in your table, you needed appendcols, but I guess you can just add another column in-line. Thank you for your help. (appendcols must be for if you have two different searches)

0 Karma

Builder

Note when I run this at 3 hours or less, I get the results I want. a statistics table of 3 columns, one for MDN, one for itemid and one for the count of the MDN

0 Karma

Builder

I'm not sure but I think from the base search. After I click search, the events gradually increase and the window a message appears saying: "Parsing search" at first, then the events accumulate in the events tab up till about 450k (no statistic results appear during this time. If I click on that tab it says "No results yet found". Finally it says "Finalizing job" and then switches to the error I stated above: "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

0 Karma

Revered Legend

450,000 events are returned after chart command OR from the base search?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!