USAGE OF SPLUNK COMMANDS: APPENDPIPE
Hi Guys!!!
Today we have come with a new command which can be very useful for you. The command is “appendpipe”. With the help of this command, you can add a subtotal of a query with your result. In other words, you can say that you can append the result of transforming commands (stats, chart etc.) with your result set.
So, let’s see how we can use the command.
Usage of appendpipe command:
- With this command, we can add a subtotal of the query with the result set. Or, in the other words you can say that you can append the result of transforming commands (stats, chart etc.) with your result set.
Syntax of appendpipe command:
| appendpipe [<subpipeline>]
subpipeline: This is the list of commands that can be applied to the search results from the commands that have occurred in the search before.
Example: 1
The below query will give you the resultset on which we will show you the usage of appendpipe command.
index=_internal sourcetype=splunkd_ui_access | bin span=1d _time | stats count by _time,method
Explanation:
Here, we are using “_internal” index, and “splunkd_ui_access” is the sourcetype name. Then with the time span of 1 day (with bin command), we are showing the event count according to “_time” and “method” fields.
So basically, we are getting the everyday count of each field value of the “method” field individually. Now, if you want to add the daily total count of “method” field values, that we can do that using “appendpipe” command.
Please see the below query,
index=_internal sourcetype=splunkd_ui_access | bin span=1d _time | stats count by _time,method | appendpipe [ stats sum(count) as count by _time | eval method="Daily Total" ] | sort _time
Explanation:
Here, using “ appendpipe” we have appended the “Daily Total” count of “method” field values, For that we have used,
“stats sum(count) as count by _time” which is giving us the summation of the count of “method” filed values on an everyday basis.
Now, to point those summation values we have added a value “Daily Count” in the method field using “eval” command.
Then, we have arranged the data in ascending time order.
Now, the same way if you want to append the “Daily Average” count of “method” field values, u can use the below query,
index=_internal sourcetype=splunkd_ui_access | bin span=1d _time | stats count by _time,method | appendpipe [ stats avg(count) as count by _time | eval method="Daily Average" ] | sort _time
Now, if with “Daily Total”, you also want to find the “Grand Total” and add that to the same result, for that we have our next example. Please check below,
Example: 2
index=_internal sourcetype=splunkd_ui_access | bin span=1d _time | stats count by _time,method | appendpipe [ stats sum(count) as count by _time | eval daily="Daily Total" ] | sort _time | appendpipe [ stats sum(count) as count by daily | eval grand="Grand Total" ] | eval method=coalesce(method,grand,daily) | fields - daily,grand
Explanation:
Here, we are using “_internal” index and “splunkd_ui_access” is the sourcetype name. Then with the time span of 1 day (with bin command) we are showing the event count by according to “_time” and “method” fields.
Here, using the first “appendpipe” we have appended the “Daily Total” count of “method” field values, For that, we have used,
“stats sum(count) as count by _time” which is giving us the summation of the count of the “method” filed values on an everyday basis.
And, to point these summations we have added a new field named “daily” which is assigned with a value “Daily Total”[ “Daily Total” is pointing to the daily summation values].
Then, we have arranged the data in ascending time order.
Now, using the second “appendpipe” we have appended the “Grand Total” of the daily summation count of “method” field values, For that, we have used,
“stats sum(count) as count by daily” which is giving us the summation of the count daily field(which already contains the daily summation).
And, to point these grand summations we have added a new field named “grand” which is assigned with a value “Grand Total” [ “Grand Total” is pointing to the grand summation value].
Now, we have used “| eval method=coalesce(method,grand,daily)”, coalesce function is merging the values of “grand” and “daily” field value in the null values of the “method” field.
If you want to know about the COALESCE function please click here.
Then, using the fields command we have excluded the “daily” and “grand” fields.
Happy Splunking !!
