Splunk Enterprise

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Enterprise

Splunk Enterprise Contents

Get Started

Administer

Search

SPL2 Search Reference

append command

append command: Overview, syntax, and usage

Manage Knowledge Objects

Leverage REST APIs

Release Notes and Updates

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Forward and Process Data

Process Data at the Edge

Connect Relational Databases

Collect Stream Data

Common Information Model

InfoSec App for Splunk

Using Splunk Mobile

Splunk OT Intelligence

REST API Reference

Splunk POD

SPL Search Reference

Splunk Validated Architectures

Developing Views and Apps for Splunk Web

Translated Documentation

MCP Server for Splunk Platform

append command: Overview, syntax, and usage

The SPL2 append command appends the results of a subsearch to the current results.

The SPL2 append command appends the results of a subsearch to the current results. This command runs only over historical data and does not produce correct results if used in a real-time search.

Syntax

The required syntax is in bold.

append

[ subsearch ]

Required arguments

subsearch

Syntax: [search subsearch_criteria]

Description: A search within a primary, or outer, search. The subsearch is run first. Subsearches must be enclosed in square brackets.

Usage

The append command is a transforming command, which orders the results into a data table.

This SPL2 append command does not support the following subsearch-options, which are used with the SPL version of the append command. Instead, the default values for these subsearch options are used:

extendtimerange: Any time range specified in the subsearch is ignored. Only the time range for the main search is used.
maxtime: The maximum time, in seconds, to spend on the subsearch before automatically finalizing is 60 seconds.
maxout: The maximum number of result rows to output from the subsearch is 5000.
timeout: The maximum time, in seconds, to wait for the subsearch to fully finish is 60 seconds.

See also

append command

append command: Examples

Last updated: January 16, 2026

Explore Topics

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Observability Cloud

Splunk IT Service Intelligence

AppDynamics SaaS

AppDynamics On-Premises

AppDynamics SAP Agent

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

Release Notes and Updates

Supported Add-ons

Splunk Style Guide

©2005-2025 Splunk Inc. All rights reserved.