Hey Everyone are you stuck on how to get the results from two different index or same index in a same statistical table well no need to search more this can be achieved using appendcols command in splunk, let’s just dive into the topic.
Appends the fields of the subsearch results with the input search results. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.
subsearch – A secondary search added to the main search.
Optional arguments:
override
Syntax: override=<bool>
Description:If the override argument is false and the field is present in both the subsearch and the main result, the main result will be used. If override = true, the result of the subsearch will be used.
Description:These options will control how the subsearch should is executed.
Subsearch options
maxtime
Syntax: maxtime=<int>
Description:The maximum time (in seconds) it spends the subsearch before automatically finalizing.
maxout
Syntax: maxout=<int>
Description:Maximum number of rows of results to output from the subsearch.
timeout
Syntax: timeout=<int>
Description:Maximum time (in seconds) to wait for the subsearch to fully finish.
Usage:
The appendcols command must be placed in the search string after transforming commands such as stats, chart, and timechart. The appendcols command cannot be used before the conversion command because it must be added to an existing tabular result set, such as the result generated by the transforming command.
Example for using appendcols command in splunk:
source="Superstore.csv"
| stats count(Profit) as "Region wise Profit" by Region
| appendcols
[ search source="Superstore.csv"
| stats count by Quantity
| fields - count ]
Explanation: The only difference between the append and appendcols is that in append we are appending the appended search query after the first query result table while in the appendcols we are actually appending the column and the appended search query result is shown in the column.
If you are still facing issue regarding appendcols command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >
GIPHY App Key not set. Please check settings