Splunk Search

append command is not working

harishalipaka
Motivator

Hi All,

Updated

I have 70,535 records in first query and 201776 from second query.
when i am append these two searches it is not working correctly.
Some data i lost.

We can i have limitation for append maxout=50000 in limit.conf.
Sometimes it is working for morethan 1 lakh records sometimes not.

index="abc" source="first"  
    | dedup MAC 
    | eval MAC_Address=trim(upper(MAC)) |rename locations as Location |eval type="ARP",Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA" |table MAC_Address 
    |join type=left max=0 MAC_Address[search index="ghf" source="dataset2"  |dedup MAC_Address  |eval MAC_Address=trim(upper(MAC_Address)),type="dataset2"|table MAC_Address type]  |where isnull(type) |fillnull value="ARP" |table MAC_Address type

    |append maxout=0 [search index="third" source="dataset2" |table MAC_Address type|eval MAC_Address=trim(upper(MAC_Address)) ] |dedup type

Above query i have used left join and filtered with where null .(Here i want where Not in but it is also not working for me)

base query ... |where NOT  MAC_Address  in ([search index=abs |dedup MAC_Address |eval a=split(MAC_Address," ")|mvexpand a |eval r="\"".a."\"" 
|stats values(r) as a | mvcombine delim="," a |rex field=a mode=sed "s/ /,/g" |return $a
])

Can any one please help me in this.

This is for splunk cloud

thanks

Thanks
Harish
Tags (2)
0 Karma

to4kawa
Ultra Champion
(index="abc" source="first") OR ((index="ghf" OR index="third") source="dataset2") 
| eval MAC_Address=trim(upper(coalesce(MAC,MAC_Address)) 
| rename locations as Location 
| eval type=case(index="abc","ARP",index="ghf","dataset2",index="third",type) ,Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA" 
| stats value(*) as * by MAC_Address

Hi, @harishalipaka
append is unnecessary.

0 Karma

to4kawa
Ultra Champion

query and sample log please. nobody knows details.

0 Karma

niketn
Legend

@harishalipaka it definitely will have subsearch limitations and limits.conf can be changed to accommodate as per your needs but as @skoelpin has mentioned please let us know your current SPL/Use case so that we can suggest you any other alternative which is better suited for your needs and may not run into sub-search limitations. PS: You can also try out the sub-search related optional arguments to see if append works (not recommended unless we see your use case): https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin
SplunkTrust
SplunkTrust

Why use the append command? Just join with an OR. Post a sample of your query

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...