Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: multisearch vs append
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multisearch vs append
I recently discovered the "multisearch" command. Other than only being able to use streaming commands in each of the subsearches, what is the difference between the "multisearch" command and the "append" command? In what scenarios would you use one over the other? In fact, in what sceanrios would you ever user the "multisearch" command?
The example given in the docs is
| multisearch [search index=a | eval type = "foo"] [search index=b | eval type = "bar"]
Why is this preferred over
index=a OR index=b | eval type=if(index=a,"foo","bar")
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I showed on this other answer, multisearch is not constrained by subsearch limits.
While in your simple example it might not have benefit, multisearch lets you use any streaming command in each search. I think its value would come out in a case where you need to apply calculations (eval) or inline extractions (rex) to one set of events, but not to other sets of events, and it might make your search easier to understand (instead of getting multiple levels of if statements deep in your evals).
And as you asked about append we can use the setup from the other answer to compare:
| noop | append [search index=test earliest=-7d | append [search index=test earliest=-7d] | append [search index=test earliest=-7d]
returns 150,000 events since append is subject to the maxresultrows limit of 50,000 events by default
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additionally, multisearch searches are run (more-or-less) simultaneously, not sequentially as they are with append
If the search slots are available, multisearch should finish dramatically faster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, do the regular subssearch limitations also apply to a subsearch that is used for the multisearch command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great question. Bump.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
