Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix appendcols returning more than necessary?

Diana_a
Explorer
‎07-20-2022 01:41 PM

Hi everyone, 

I am new to Splunk and I am learning as I go. I'd like to know if anyone has any idea what I am doing wrong here because it is supposed to return 36 events but I am getting 36 events but column 1 (FULLNAME) just keeps giving me more with empty columns for the rest. I just wished it would stop the FULLNAME column at 36. 

 

index=....firstSearch.....CLOSEDATE="*" (TYPE=10 OR TYPE= 11)
| rename ID as UNIQUE_ID
| dedup PARENT UNIQUE_ID

| eval CLOSEDATETIME=strptime(CLOSEDATE, "%Y-%m-%d %H:%M:%S")
| eval from_date=relative_time(now(), "-10d" )
| eval to_date=relative_time(now(), "-3d" )
| where CLOSEDATETIME >= from_date AND CLOSEDATETIME <= to_date
| fields PARENT UNIQUE_ID DESCRIPTION CLOSEDATE
| table PARENT UNIQUE_ID DESCRIPTION CLOSEDATE

| appendcols [search index= ...secondsearch... TYPE=0 | eval FULLNAME=FIRST." ".LAST]

| fields FULLNAME PARENT UNIQUE_ID DESCRIPTION CLOSEDATE
| table FULLNAME PARENT UNIQUE_ID DESCRIPTION CLOSEDATE

 

Any help greatly appreciated. I am so stuck on this and I don't understand why column 1 (FULLNAME) just keeps giving me more than the necessary 36 events and keeps giving me more full names with blank parent numbers and all of the other columns (UniqueID, description, closedate) beyond 36 number of records (events).

Eventually I will need to do another appendcols because I only need one column to append it to the overall table at the end. Is this a good approach? join are too costly and it is not giving me what I need. This is the closes thing that is working so far.

Thank you and have a good day,

 

Diana

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-20-2022 04:52 PM

appendcols is a very specific command. When you use this, your main search and your subsearch MUST only have the same number of total events returned otherwise you will get overrun or underrun as you are seeing.

If you are adding columns to an existing data set, the second search must also be crafted so that it returns the rows in the correct order that should be added to the first table.

It sounds like you are trying to get parent names from your second search based on parent ids. This is probably a better candidate to use stats to combine data from both your searches.

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2022 02:08 PM

First, what problem are you trying to solve?

Second, appendcols probably is not part of the solution (usually, it is not).  If the number and order of results in the main search does not match that of the appendcols search then the output will be incorrect.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Diana_a
Explorer
‎07-20-2022 02:23 PM

Hi!

 

Thank you for responding. 

I am trying to know why that SPL is returning more than I need in the first and second columns (FULLNAME and PARENT) 

It is supposed to be 36 events and it shows them but it keeps going on and on with blank 3rd,4th,5th columns. I don't need those. I just need up until 36 events.

untitled2.png

Hope this explains it better.

Thank you so much!

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-20-2022 04:52 PM

appendcols is a very specific command. When you use this, your main search and your subsearch MUST only have the same number of total events returned otherwise you will get overrun or underrun as you are seeing.

If you are adding columns to an existing data set, the second search must also be crafted so that it returns the rows in the correct order that should be added to the first table.

It sounds like you are trying to get parent names from your second search based on parent ids. This is probably a better candidate to use stats to combine data from both your searches.

 

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top