nano SIEM
Search Commands

append

append

Append results from a subsearch to the main search results.

Description

The append command adds results from a subsearch to your main search results. This allows you to combine data from different searches into a single result set, useful for comparing datasets or creating unified views.

Syntax

... | append [<subsearch>]

Required Arguments

subsearch
A complete search query enclosed in square brackets. Results are appended to the main search.

Examples

Combine current and historical data

status=500 
| append [search status=500 earliest=-7d latest=-1d]

Compare two time periods

action=login earliest=-1d
| stats count() as today
| append [search action=login earliest=-2d latest=-1d | stats count() as yesterday]

Combine different sources

source_type="firewall" action=block
| append [search source_type="ids" action=alert]

Add baseline data

* | stats count() by user
  | append [search earliest=-30d latest=-7d | stats count() as baseline by user]

Union multiple searches

severity=critical
| append [search severity=high priority=urgent]
| dedup _id

Usage Notes

Order preserved: Appended results appear after main search results.

Field alignment: Fields from both searches are combined. Missing fields appear as null.

Deduplication: Use dedup if you need to remove duplicates between searches.

Performance: Subsearches run independently and can impact performance.

  • join - Combine searches with matching

anomaly

Previous Page

asset

Next Page

Edit this page on GitHub
On this page

On this page

append
Description
Syntax
Required Arguments
Examples
Combine current and historical data
Compare two time periods
Combine different sources
Add baseline data
Union multiple searches
Usage Notes
Related Commands