Usage of Splunk commands : APPENDCOLS

Usage of Splunk commands  : APPENDCOLS  

Usage of Splunk commands : APPENDCOLS is as follows :

  • Appendcols command appends the fields of the subsearch result with the main input search results.
  • The subsearch must be start with a generating command.

 

 Find below the skeleton of the usage of the command “appendcols” in SPLUNK :

 

appendcols [ override = ] < subsearch> 

Example 1:

index=_internal
| stats count by method
| appendcols [ search index=_audit | stats count as info_count by info 
| head 4 ]
 

Result:

appendcols

Explanation :

In the above query “method” and “info” are the existing field names in the “_internal” and “_audit” indexes respectively.Red rectangular box show the result of the main search and blue rectangular box shows the result of the subsearch . By the “appendcols” command we have appended the result of the subsearch with the main result.

 ************************************************************************************

Example 2:

index=_internal
| stats count by method
| appendcols [ search index=_audit | stats count by info | head 4 ]

 

Result :

appendcols2

 Explanation:

In the above query “method” and “info” are the existing field names in the “_internal” and “_audit” indexes respectively.Both in  the main search and subsearch “count” is a common field so in the “count” field values of the main search will be used as by default argument override=false.

************************************************************************************ 

Example 3:

index=_internal
| stats count by method
| appendcols override=true [ search index=_audit | stats count by info 
| head 4 ]

Result :

 appendcols3

Explanation:

In the above query “method” and “info” are the existing field names in the “_internal” and “_audit” indexes respectively .Here we have used an argument override=true with the “appendcols” command.Both in  the main search and subsearch “count” is a common field so in the “count” field values of the  subsearch will be used because  override = true.

 

Now you can effectively utilize “appendcols”  command in  your daily use to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk commands  : APPENDCOLS

 

HAPPY SPLUNKING !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.