appendcols command: Overview, syntax, and usage
The SPL2 appendcols command appends all of the fields of the subsearch results with the incoming main search results, except for internal fields.
The SPL2 appendcols command appends all of the fields of the subsearch results with the incoming main search results. The subsearch is run first. Then all fields of the subsearch are combined into the main search results, with the exception of internal fields.
For example, the first subsearch result is merged with the first main search result, the second subsearch result is merged with the second main search result, and so on.
Syntax
The required syntax is in bold.
appendcols
[ subsearch ]
Required arguments
subsearch
Syntax: [search subsearch_criteria]
Description: A search within a main, or outer, search. The subsearch is run first. The subsearch must be enclosed in square brackets.
Usage
If your search uses a transforming command such as stats or timechart. the appendcols command must be placed after the transforming command in the search. Transforming commands produce a table or summary of information that the appendcols values can be appended to.
The SPL2 appendcols command does not support the following arguments and subsearch-options, which are used with the SPL version of the appendcols command. Instead, the default values for these arguments and subsearch options are used:
- override: If a field is present in both the subsearch result and the main search result, the values in main search result is used.
- maxtime: The maximum time, in seconds, to spend on the subsearch before automatically finalizing is 60 seconds.
- maxout: The maximum number of result rows to output from the subsearch is 5000.
- timeout: The maximum time, in seconds, to wait for the subsearch to fully finish is 60 seconds.
See also
appendcols command