Usage of Splunk commands : APPENDCOLS
Usage of Splunk commands : APPENDCOLS is as follows :
-
Appendcols command appends the fields of the subsearch result with the main input search results.
-
The subsearch must be start with a generating command.
Find below the skeleton of the usage of the command “appendcols” in SPLUNK :
appendcols [ override = ] < subsearch>
Example 1:
index=_internal | stats count by method | appendcols [ search index=_audit | stats count as info_count by info | head 4 ]
Result:
Explanation :
In the above query “method” and “info” are the existing field names in the “_internal” and “_audit” indexes respectively.Red rectangular box show the result of the main search and blue rectangular box shows the result of the subsearch . By the “appendcols” command we have appended the result of the subsearch with the main result.
************************************************************************************
Example 2:
index=_internal | stats count by method | appendcols [ search index=_audit | stats count by info | head 4 ]
Result :
Explanation:
In the above query “method” and “info” are the existing field names in the “_internal” and “_audit” indexes respectively.Both in the main search and subsearch “count” is a common field so in the “count” field values of the main search will be used as by default argument override=false.
************************************************************************************
Example 3:
index=_internal | stats count by method | appendcols override=true [ search index=_audit | stats count by info | head 4 ]
Result :
Explanation:
In the above query “method” and “info” are the existing field names in the “_internal” and “_audit” indexes respectively .Here we have used an argument override=true with the “appendcols” command.Both in the main search and subsearch “count” is a common field so in the “count” field values of the subsearch will be used because override = true.
Now you can effectively utilize “appendcols” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : APPENDCOLS
HAPPY SPLUNKING !!
What’s your Reaction?
+1
+1
2
+1
1
+1
+1
3
+1
+1
1