Splunk Search

What are the differences between append, appendpipe, and appendcols search commands?

landen99
Motivator

I know that there is a splunk documentation page for the append command, but I have not found any splunk documentation for the appendcols command. I wonder if there are other less-documented append functions like appendrow. My question is about the differences and unique strengths of each append* command compared to the others. Specifically, when would you use appendpipe instead of append and what does appendcol do different than append, etc.?

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Append
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Appendpipe

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Here is the basic usage of each command per my understanding.

append - to append the search result of one search with another (new search with/without same number/name of fields) search.
Usually to append final result of two searches using different method to arrive to the result (which can't be merged into one search)
e.g.

 index=A | stats count by sourcetype | append [search index=B | stats count by sourcetype]

Output:

**sourcetype     count**
SourceTypeA1       10
SourceTypeA2       70
SourceTypeB1       77
SourceTypeB2       70
SourceTypeB3       34

appendpipe - to append the search results of post process (subpipeline) of the current resultset to current result set.
Typically to add summary of the current result set.
e.g.

 index=B | stats count by sourcetype | appendpipe [|stats sum(count) as count | eval sourcetype="All SourceTypes"]

Output:

**sourcetype     count**
SourceTypeB1       77
SourceTypeB2       70
SourceTypeB3       34
All SourceTypes    181

appendcols - to append the fields of one search result with other search result. Fields are added row-wise, 1st row of first search will be merged with 1st row of 2nd search.
Value of common fields between results will be overwritten by 2nd search result values.
Typically to show comparitive analysis of two search results in same table/chart.

 index=A | timechart span=1d count as CountA| appendcols [search index=B | timechart span=1d count as CountB]

Output:

    _time               CountA**   CountB**
7/3/14 12:00:00.000 AM  867    0
7/4/14 12:00:00.000 AM  518    867
7/5/14 12:00:00.000 AM  471    518
7/6/14 12:00:00.000 AM  514    471
7/7/14 12:00:00.000 AM  908    514
7/8/14 12:00:00.000 AM  920    908

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Here is the basic usage of each command per my understanding.

append - to append the search result of one search with another (new search with/without same number/name of fields) search.
Usually to append final result of two searches using different method to arrive to the result (which can't be merged into one search)
e.g.

 index=A | stats count by sourcetype | append [search index=B | stats count by sourcetype]

Output:

**sourcetype     count**
SourceTypeA1       10
SourceTypeA2       70
SourceTypeB1       77
SourceTypeB2       70
SourceTypeB3       34

appendpipe - to append the search results of post process (subpipeline) of the current resultset to current result set.
Typically to add summary of the current result set.
e.g.

 index=B | stats count by sourcetype | appendpipe [|stats sum(count) as count | eval sourcetype="All SourceTypes"]

Output:

**sourcetype     count**
SourceTypeB1       77
SourceTypeB2       70
SourceTypeB3       34
All SourceTypes    181

appendcols - to append the fields of one search result with other search result. Fields are added row-wise, 1st row of first search will be merged with 1st row of 2nd search.
Value of common fields between results will be overwritten by 2nd search result values.
Typically to show comparitive analysis of two search results in same table/chart.

 index=A | timechart span=1d count as CountA| appendcols [search index=B | timechart span=1d count as CountB]

Output:

    _time               CountA**   CountB**
7/3/14 12:00:00.000 AM  867    0
7/4/14 12:00:00.000 AM  518    867
7/5/14 12:00:00.000 AM  471    518
7/6/14 12:00:00.000 AM  514    471
7/7/14 12:00:00.000 AM  908    514
7/8/14 12:00:00.000 AM  920    908

Nextbeat
Path Finder

Thanks for the explanation. FYI you can use append for sorting initial results from a table and then combine them with results from the same base search; comparing a different value that also needs to be sorted differently.

0 Karma

lauraG85
Engager

Great! Thank you so much

0 Karma

lauraG85
Engager

Great! Thank you so much

0 Karma

satishachary199
New Member

thank you so much, Nice Explanation.

0 Karma

marina_rovira
Contributor

Do you know how to use the results, CountA and CountB to make some calculation? I want to know the %
Thank you in advance.

mhamano
Explorer

Yes, same here! CountA and CountB and TotalCount to create a column for %CountA and %CountB

alexandermunce
Communicator

Have you tried something like:

eval countPercentage = countA/countB*100

sylax
Explorer

This is a great explanation. Thanks!

0 Karma

koprai
Explorer

Thanks... but wish we had an appendpipecols

nabeel652
Builder

that's what streamstats is

bhawkins1
Communicator

What exactly is streamstats? can you clarify with an example?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Great explanation! Once again, thanks for the help somesoni2

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Appendcols is available in splunk documentations @ http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Appendcols

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...