- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- append command is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
append command is not working
Hi All,
Updated
I have 70,535 records in first query and 201776 from second query.
when i am append these two searches it is not working correctly.
Some data i lost.
We can i have limitation for append maxout=50000 in limit.conf.
Sometimes it is working for morethan 1 lakh records sometimes not.
index="abc" source="first"
| dedup MAC
| eval MAC_Address=trim(upper(MAC)) |rename locations as Location |eval type="ARP",Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA" |table MAC_Address
|join type=left max=0 MAC_Address[search index="ghf" source="dataset2" |dedup MAC_Address |eval MAC_Address=trim(upper(MAC_Address)),type="dataset2"|table MAC_Address type] |where isnull(type) |fillnull value="ARP" |table MAC_Address type
|append maxout=0 [search index="third" source="dataset2" |table MAC_Address type|eval MAC_Address=trim(upper(MAC_Address)) ] |dedup type
Above query i have used left join and filtered with where null .(Here i want where Not in but it is also not working for me)
base query ... |where NOT MAC_Address in ([search index=abs |dedup MAC_Address |eval a=split(MAC_Address," ")|mvexpand a |eval r="\"".a."\""
|stats values(r) as a | mvcombine delim="," a |rex field=a mode=sed "s/ /,/g" |return $a
])
Can any one please help me in this.
This is for splunk cloud
thanks
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(index="abc" source="first") OR ((index="ghf" OR index="third") source="dataset2")
| eval MAC_Address=trim(upper(coalesce(MAC,MAC_Address))
| rename locations as Location
| eval type=case(index="abc","ARP",index="ghf","dataset2",index="third",type) ,Serial_Number="NA",HostName="NA", Domain="NA", Chassis_Type="NA"
| stats value(*) as * by MAC_Address
Hi, @harishalipaka
append is unnecessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
query and sample log please. nobody knows details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka it definitely will have subsearch limitations and limits.conf can be changed to accommodate as per your needs but as @skoelpin has mentioned please let us know your current SPL/Use case so that we can suggest you any other alternative which is better suited for your needs and may not run into sub-search limitations. PS: You can also try out the sub-search related optional arguments to see if append works (not recommended unless we see your use case): https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append#Optional_arguments
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why use the append command? Just join with an OR. Post a sample of your query
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
