Hey Everyone are you stuck on how to get the results from two different index or same index in a same statistical table well no need to search more this can be achieved using appendcols command in splunk, let’s just dive into the topic.

Appends the fields of the subsearch results with the input search results. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.

Syntax:

appendcols [override= <bool> | <subsearch-options>...] <subsearch>

Required arguments:

subsearch – A secondary search added to the main search.

Optional arguments:

override

Syntax: override=<bool>

Description: If the override argument is false and the field is present in both the subsearch and the main result, the main result will be used. If override = true, the result of the subsearch will be used.

Default: override=false

subsearch-options

Syntax: maxtime=<int> | maxout=<int> | timeout=<int>

Description: These options will control how the subsearch should is executed.

Subsearch options

maxtime

Syntax: maxtime=<int>

Description: The maximum time (in seconds) it spends the subsearch before automatically finalizing.

maxout

Syntax: maxout=<int>

Description: Maximum number of rows of results to output from the subsearch.

timeout

Syntax: timeout=<int>

Description: Maximum time (in seconds) to wait for the subsearch to fully finish.

Usage:

The appendcols command must be placed in the search string after transforming commands such as stats, chart, and timechart. The appendcols command cannot be used before the conversion command because it must be added to an existing tabular result set, such as the result generated by the transforming command.

Example for using appendcols command in splunk:

source="Superstore.csv" 
| stats count(Profit) as "Region wise Profit" by Region 
| appendcols 
    [ search source="Superstore.csv" 
    | stats count by Quantity 
    | fields - count ]

Explanation: The only difference between the append and appendcols is that in append we are appending the appended search query after the first query result table while in the appendcols we are actually appending the column and the appended search query result is shown in the column.

Also look for Append Command in Splunk

If you are still facing issue regarding appendcols command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >