Hey Everyone are you stuck on how to get the results from two different index or same index in a same statistical table well no need to search more this can be achieved using append command in splunk, let’s just dive into the topic.

Key points of append command in splunk:

The Append command appends the results of a subsearch into to the current results.
The Append command only runs over the historical data.
The Append command doesn’t produce correct results if used in a real-time search.

Note: Note : Never use the append command on real-time search.

Syntax:

append [<subsearch-options>…] <subsearch>

Query for sourcetype-1 before using append command:

index=* sourcetype="WinEventLog:System"
| stats values(EventCode) as EventCode count by LogName

Results for sourcetype-1 before using append command:

Query for sourcetype-2 before using append command:

index=* sourcetype="WinEventLog:Application"
| stats values(EventCode) as EventCode count by LogName

Results for sourcetype-2 before using append command:

Query after using append command:

index=* sourcetype="WinEventLog:System"
| stats values(EventCode) as EventCode count by LogName
| append [search index=* sourcetype="WinEventLog:Application" | stats values(EventCode) as EventCode count by LogName ]

Results after using append command:

Explanation:

Above there are two search queries for sourcetype-1 & sourcetype-2, in which the first query is searching for the results which has the count of EventCode splitted LogName wise for sourcetype (WinEventLog:System), where as the second query is searching in the similar way that is the count of EventCode splitted LogName wise but with different sourcetype (WinEventLog:Application).

Hence the first row contains the result of LogName wise EventCode for System sourcetypewhich is appended by the result of LogName wise EventCode for Application sourcetype in the second row.

The Append Command can be used using a pipe and append i.e. | append, and the search query is written inside the [ ] square brackets.

It searches separately a new search query and takes the search results and adds it at the bottom of the first searched results that is it adds the second searched query at the bottom of the first searched query.

Also look for Abstract Command in Splunk

If you are still facing issue regarding append command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >

Optimizing Storage Costs with Splunk SmartStore

Splunk Cloud Victoria vs Classic Experience

The Power of Summary Indexing in Splunk

Renew Splunk Certificates

Exploring the Reverse Command in Splunk

Changing Splunk Web Port from 8000 to 443

Append Command in Splunk

Understanding splunk append command with an example

Key points of append command in splunk:

Syntax:

Query for sourcetype-1 before using append command:

Results for sourcetype-1 before using append command:

Query for sourcetype-2 before using append command:

Results for sourcetype-2 before using append command:

Query after using append command:

Results after using append command:

Explanation:

What do you think?

Exploring the Reverse Command in Splunk

Stats count to include zero count in splunk

Datamodel Command in Splunk

Dedup Command in Splunk

Bin Command Splunk

Addinfo Command in Splunk

The Power of Summary Indexing in Splunk

Exploring the Reverse Command in Splunk

Stats count to include zero count in splunk

Datamodel Command in Splunk

Dedup Command in Splunk

Bin Command Splunk

Leave a ReplyCancel reply

Changing Splunk Web Port from 8000 to 443

Addtotals Command Splunk