Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

append command is not working

harishalipaka
Motivator
‎01-23-2020 06:49 AM

Hi All,

Updated

I have 70,535 records in first query and 201776 from second query.
when i am append these two searches it is not working correctly.
Some data i lost.

We can i have limitation for append maxout=50000 in limit.conf.
Sometimes it is working for morethan 1 lakh records sometimes not.

index="abc" source="first"  
    | dedup MAC 
    | eval MAC_Address=trim(upper(MAC)) |rename locations as Location |eval type="ARP",Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA" |table MAC_Address 
    |join type=left max=0 MAC_Address[search index="ghf" source="dataset2"  |dedup MAC_Address  |eval MAC_Address=trim(upper(MAC_Address)),type="dataset2"|table MAC_Address type]  |where isnull(type) |fillnull value="ARP" |table MAC_Address type

    |append maxout=0 [search index="third" source="dataset2" |table MAC_Address type|eval MAC_Address=trim(upper(MAC_Address)) ] |dedup type

Above query i have used left join and filtered with where null .(Here i want where Not in but it is also not working for me) 

base query ... |where NOT  MAC_Address  in ([search index=abs |dedup MAC_Address |eval a=split(MAC_Address," ")|mvexpand a |eval r="\"".a."\"" 
|stats values(r) as a | mvcombine delim="," a |rex field=a mode=sed "s/ /,/g" |return $a
])

Can any one please help me in this.

This is for splunk cloud

thanks

Thanks
Harish
Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-24-2020 06:32 AM 
(index="abc" source="first") OR ((index="ghf" OR index="third") source="dataset2") 
| eval MAC_Address=trim(upper(coalesce(MAC,MAC_Address)) 
| rename locations as Location 
| eval type=case(index="abc","ARP",index="ghf","dataset2",index="third",type) ,Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA" 
| stats value(*) as * by MAC_Address

Hi, @harishalipaka
append is unnecessary.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-23-2020 09:51 AM

query and sample log please. nobody knows details.

0 Karma
Reply

niketn
Legend
‎01-23-2020 08:17 AM

@harishalipaka it definitely will have subsearch limitations and limits.conf can be changed to accommodate as per your needs but as @skoelpin has mentioned please let us know your current SPL/Use case so that we can suggest you any other alternative which is better suited for your needs and may not run into sub-search limitations. PS: You can also try out the sub-search related optional arguments to see if append works (not recommended unless we see your use case): https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-23-2020 08:02 AM

Why use the append command? Just join with an OR. Post a sample of your query

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...