Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the append query not working?

Mohsin123
Path Finder
‎07-23-2018 09:25 AM

hi,

index="idx_a" sourcetype IN ("logs") component=* logpoint=request-in 
| table transaction-id,timestamp-in| append 
    [ search index="idx_a" sourcetype IN ("logs") component=* logpoint=response-out 
    | table timestamp-out] 
| table transaction-id,timestamp-in,timestamp-out

In my last query, timestamp-out is blank.
Can anyone please help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PowerPacked
Builder
‎07-23-2018 11:49 AM

Hi @shraddhamuduli

Are you trying to do a table of transaction-id,timestamp-in,timestamp-out with proper results,

Use the join command like this

index="idx_a" sourcetype IN ("logs") component= logpoint=request-in
| table transaction-id,timestamp-in| join transaction-id
[ search index="idx_a" sourcetype IN ("logs") component= logpoint=response-out
| table timestamp-out, transaction-id]
| table transaction-id,timestamp-in,timestamp-out

Only Join will map the transaction id with respective timestamp-in & timestamp-out.
Appendcols & append commands are used to append the results from main search to sub search, which is not a table of ordered correctly mapped data

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PowerPacked
Builder
‎07-23-2018 11:49 AM

Hi @shraddhamuduli

Are you trying to do a table of transaction-id,timestamp-in,timestamp-out with proper results,

Use the join command like this

index="idx_a" sourcetype IN ("logs") component= logpoint=request-in
| table transaction-id,timestamp-in| join transaction-id
[ search index="idx_a" sourcetype IN ("logs") component= logpoint=response-out
| table timestamp-out, transaction-id]
| table transaction-id,timestamp-in,timestamp-out

Only Join will map the transaction id with respective timestamp-in & timestamp-out.
Appendcols & append commands are used to append the results from main search to sub search, which is not a table of ordered correctly mapped data

Thanks

0 Karma
Reply
Solved! Jump to solution

CarsonZa
Contributor
‎07-23-2018 09:53 AM

try |appendcols instead of |append

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...