Get Started

Splunk append and appendpipe Commands: Combining Result Sets

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Are append and appendpipe?

The append command runs a secondary search and appends its results to the current result set. The appendpipe command takes the current results, runs a subsearch on them, and appends the subsearch output. Together, they enable layered analytics, summary rows, and multi-source correlations.

append — Core Syntax

| append [subsearch]

appendpipe — Core Syntax

| appendpipe [<commands operating on current results>]

Security Operations Examples

1. Multi-Source Security Overview with append

index=security sourcetype=WinEventLog:Security EventCode=4625
| stats count AS events eval(source_type="Failed Logins")
| append [search index=network sourcetype=firewall action=denied | stats count AS events | eval source_type="Firewall Blocks"]
| append [search index=endpoint sourcetype=sysmon EventCode=1 | stats count AS events | eval source_type="Process Executions"]
| append [search index=email sourcetype=exchange | stats count AS events | eval source_type="Email Events"]
| table source_type events

2. Adding a Summary Total Row with appendpipe

index=security sourcetype=WinEventLog:Security EventCode=4625
| stats count BY Account_Name
| sort - count | head 10
| appendpipe [stats sum(count) AS count | eval Account_Name="=== TOTAL ==="]

3. Comparing Current vs. Historical Baselines

index=network sourcetype=firewall action=denied
| stats count AS current_blocks BY dest_zone
| append [search index=network sourcetype=firewall action=denied earliest=-30d@d latest=-1d@d | stats avg(count) AS baseline_avg BY dest_zone]
| stats first(current_blocks) AS current first(baseline_avg) AS baseline BY dest_zone
| eval deviation_pct = round((current - baseline) / baseline * 100, 1)

append vs. appendpipe vs. join

Command Data Source Best For
append Independent subsearch Adding results from a different index/source
appendpipe Current result set Summary rows, totals, averages of current results
join Subsearch matched by field SQL-style joins (use sparingly in Splunk)

Best Practices

  • Use appendpipe for totals and summaries — It’s the cleanest way to add a “TOTAL” row to a table.
  • Limit append subsearch results — Subsearches have a default 10,000 result / 60 second limit. Plan accordingly.
  • Prefer stats over append when possible — If you’re combining data from the same index, a single stats with eval categories is more efficient.
  • Use append for multi-index dashboards — When data lives in fundamentally different indexes, append is the right pattern.

Next in the series: The foreach command — iterating over fields dynamically.

Next in the Rhombic SPL Series → Splunk foreach Command

Tagged , , , , ,