Usage of Splunk commands : APPEND
Usage of Splunk commands : APPEND is as follows
- Append command appends the result of a subsearch with the current result.
- This command runs only over the historical data.
- It doesn’t show the correct result if you use this command in real time basis.
- The subsearch must be start with a generating command.
Find below the skeleton of the usage of the command “append” in SPLUNK :
append <subsearch>
Example :
index=_internal sourcetype=splunkd_ui_access | stats count by method | append [ search index=_audit | stats count by info ]
Result :
Explanation:
In the above query we have used the two search .“Red” rectangular box is showing the result of main search and “Blue” rectangular box is showing the result of subsearch.By the “append” command we have appended the result of subsearch with the result of main search.
Now you can effectively utilize “append” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : APPEND
HAPPY SPLUNKING !!
What’s your Reaction?
+1
+1
+1
+1
1
+1
2
+1
+1
[…] Explanation: Here we as one can see that we merged results from two different indexes ( _internal and _audit ), but we did in a different manner. We merged our dataset (i.e. [ search index=_audit | chart count by info]) with the existing main-search (i.e. index=_internal | chart count by method ) using union command, Where results are merged row wise. Orange marked box is the result of _internal index and green marked is the result of _audit index. This basically does the same as the append command if we replace union with append then also it will generate the same result. To know more about the append command click here. […]