Append Command in Splunk

Understanding splunk append command with an example

by Lognalytics Technology November 27, 2021, 2:23 pm 271 Views

Hey Everyone are you stuck on how to get the results from two different index or same index in a same statistical table well no need to search more this can be achieved using append command in splunk, let’s just dive into the topic.

Key points of append command in splunk:

The Append command appends the results of a subsearch into to the current results.
The Append command only runs over the historical data.
The Append command doesn’t produce correct results if used in a real-time search.

Note: Note : Never use the append command on real-time search.

Syntax:

append [<subsearch-options>…] <subsearch>

Query for sourcetype-1 before using append command:

index=* sourcetype="WinEventLog:System"
| stats values(EventCode) as EventCode count by LogName

Results for sourcetype-1 before using append command:

Query for sourcetype-2 before using append command:

index=* sourcetype="WinEventLog:Application"
| stats values(EventCode) as EventCode count by LogName

Results for sourcetype-2 before using append command:

Query after using append command:

index=* sourcetype="WinEventLog:System"
| stats values(EventCode) as EventCode count by LogName
| append [search index=* sourcetype="WinEventLog:Application" | stats values(EventCode) as EventCode count by LogName ]

Results after using append command:

Explanation:

Above there are two search queries for sourcetype-1 & sourcetype-2, in which the first query is searching for the results which has the count of EventCode splitted LogName wise for sourcetype (WinEventLog:System), where as the second query is searching in the similar way that is the count of EventCode splitted LogName wise but with different sourcetype (WinEventLog:Application).

Hence the first row contains the result of LogName wise EventCode for System sourcetypewhich is appended by the result of LogName wise EventCode for Application sourcetype in the second row.

The Append Command can be used using a pipe and append i.e. | append, and the search query is written inside the [ ] square brackets.

It searches separately a new search query and takes the search results and adds it at the bottom of the first searched results that is it adds the second searched query at the bottom of the first searched query.

Also look for Abstract Command in Splunk

If you are still facing issue regarding append command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >