Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- append command is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
append command is not working
Hi All,
Updated
I have 70,535 records in first query and 201776 from second query.
when i am append these two searches it is not working correctly.
Some data i lost.
We can i have limitation for append maxout=50000 in limit.conf.
Sometimes it is working for morethan 1 lakh records sometimes not.
index="abc" source="first"
| dedup MAC
| eval MAC_Address=trim(upper(MAC)) |rename locations as Location |eval type="ARP",Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA" |table MAC_Address
|join type=left max=0 MAC_Address[search index="ghf" source="dataset2" |dedup MAC_Address |eval MAC_Address=trim(upper(MAC_Address)),type="dataset2"|table MAC_Address type] |where isnull(type) |fillnull value="ARP" |table MAC_Address type
|append maxout=0 [search index="third" source="dataset2" |table MAC_Address type|eval MAC_Address=trim(upper(MAC_Address)) ] |dedup type
Above query i have used left join and filtered with where null .(Here i want where Not in but it is also not working for me)
base query ... |where NOT MAC_Address in ([search index=abs |dedup MAC_Address |eval a=split(MAC_Address," ")|mvexpand a |eval r="\"".a."\""
|stats values(r) as a | mvcombine delim="," a |rex field=a mode=sed "s/ /,/g" |return $a
])
Can any one please help me in this.
This is for splunk cloud
thanks
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(index="abc" source="first") OR ((index="ghf" OR index="third") source="dataset2")
| eval MAC_Address=trim(upper(coalesce(MAC,MAC_Address))
| rename locations as Location
| eval type=case(index="abc","ARP",index="ghf","dataset2",index="third",type) ,Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA"
| stats value(*) as * by MAC_Address
Hi, @harishalipaka
append is unnecessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
query and sample log please. nobody knows details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka it definitely will have subsearch limitations and limits.conf can be changed to accommodate as per your needs but as @skoelpin has mentioned please let us know your current SPL/Use case so that we can suggest you any other alternative which is better suited for your needs and may not run into sub-search limitations. PS: You can also try out the sub-search related optional arguments to see if append works (not recommended unless we see your use case): https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append#Optional_arguments
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why use the append command? Just join with an OR. Post a sample of your query
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
